OpenVPN: Connection fails when disabling auth or cipher

ajthemacboy

I am trying to use OpenVPN over TCP using the .ovpn files provided here. Everything works fine until I attempt to disable either `auth` or `cipher` in the .ovpn config, or from the command line. (I can disable auth and cipher successfully over UDP, but not TCP.)

Here is the full log.

How can I disable auth and cipher without OpenVPN failing to connect?

(If you're wondering why I am using TCP instead of UDP, it's because TCP is about 3.5x faster for me than UDP when torrenting.)

Max-P

Hi,

You cannot turn off auth or cipher. The settings needs to match as closely as possible the settings the server expects, otherwise it will error and disconnect as you saw. The servers are actually patched to be slightly more flexible in what options they accept, but generally a still very limited set of ciphers and HMAC hashes.

This table shows which port accepts which protocols and settings: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-

Since you are trying to disable encryption entirely, using PPTP will likely be a bit simpler, although I would recommend it. You appear to be using a PC version of OpenVPN, so the overhead of the AES encryption should be really negligible. Here is the performance results on my laptop (2010):

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

blowfish cbc     90833.83k    95921.43k    98480.21k    99170.30k    99404.46k

aes-128 cbc      83714.05k    93708.16k    96057.09k    96786.43k    96957.78k

aes-256 cbc      63811.29k    67203.29k    68392.79k    68480.00k    68755.46k

Simply multiply those results by 8 to get the result in kbps. That means AES-256 would handle 68 MB/s, so ~544 Mbps. Unless you have a fiber link and a low enough latency to actually get those speeds with PIA (hard to achieve even on localhost due to how the tuntap module works), I wouldn't bother turning off encryption.

johndoe65

On your webpage you say that it is possible. https://www.privateinternetaccess.com/pages/vpn-encryption

Please post the settings/port required to connect without cipher and auth.

Regards

Max-P

@johndoe65: At the moment this is only possible using the desktop application as it does some trickery to negociate that setting which standard openvpn clients don't support. Therefore it is not possible with OpenVPN alone. You can however grab the binary from the PIA application and use it alone, in which case it will work fine on any of our ports and gateways defined in this article as long as the CA certificate matches. To disable encryption with these, you need to set both cipher and auth to none.

EDIT: The patches and source code for PIA's changes to make this work are available here: https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch/p1