OpenVPN connection with authentication but without encryption

[spitkanen]

Hi,

I'm using OpenVPN 2.4.6 and I'm trying to create authenticated but unencrypted connections between devices.

My server config looks like this:

Code: Select all

port 1194
proto udp
mode server
tls-server
topology subnet
push "topology subnet"
dev tun
#Keys and certificates
ca /usr/share/vpn/keys/ca.crt
cert /usr/share/vpn/keys/server.crt
key /usr/share/vpn/keys/server.key
dh /usr/share/vpn/keys/dh1024.pem
#Network settings
ifconfig 10.8.0.2 255.255.224.0
push "route-gateway 10.8.0.2"
ifconfig-pool 10.8.0.1 10.8.31.254 255.255.224.0
#Allowing of connections with same common names
duplicate-cn
#Data persisting over reload
persist-key
persist-tun
#Client to client communication
client-to-client
#Encryption
cipher none
#Authentication
auth SHA384

And the config for one substation looks like this:

Code: Select all

client
port 1194
proto udp
topology subnet
dev tun
#Network settings
remote a.b.c.d 1194 # <- Actual IP address of server goes here
#Keys and certificates
ca /usr/share/vpn/keys/ca.crt
cert /usr/share/vpn/keys/5.crt
key /usr/share/vpn/keys/5.key  # This file should be kept secret
#Data persisting over reload
persist-key
persist-tun
#Encryption
cipher none
#Authentication
auth SHA384

The first client to connect works, but every client that connects afterwards does not work. The tunnel is seemingly created successfully:

Code: Select all

5/10.10.32.5:1194 Data Channel: using negotiated cipher 'AES-256-GCM'
5/10.10.32.5:1194 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 AF:14/121 ]
5/10.10.32.5:1194 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
5/10.10.32.5:1194 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

But when traffic is sent, the following errors are seen in the server logs:

Code: Select all

Float requested for peer 0 to 10.10.32.5:1194
AEAD Decrypt error: cipher final failed

Does anyone have any idea what could be wrong?

[TinCanTech]

Re: OpenVPN connection with authentication but without encryption

You still have cipher negotiation enabled ..

[spitkanen]

I have tried disabling cipher negotiation by adding ncp-disable to both the server and clients. But then it does not work with even one client. In the server, I see the following errors when receiving data:

Code: Select all

Authenticate/Decrypt packet error: missing authentication info

And the following errors in the client:

Code: Select all

Authenticate/Decrypt packet error: packet HMAC authentication failed

What else do I need to add/modify to get the connection working with ncp-disable?

[rasfar]

Did you ever get this working?

I am trying something the same, but cant get it working correctly.

Authentication yes
but Encryption No

The options are all there but it just doesn't work on some devices. Namely my OpenWRT client, my Ubuntu can connect fine...

[TinCanTech]

If you do not have encryption then it is not a Private network .. virtual or otherwise.

Which is why nobody cares ..