ncp-cipher uses data-cipher in the background which does not allow to disable the encryption, only allows a list of ciphers for negotiation
Disabling the encryption fails the openvpn service.
Jul 02 17:21:29 openvpn-vtun10[1861372]: Unsupported cipher in --data-ciphers: NONE Jul 02 17:21:29 openvpn-vtun10[1861372]: Options error: --data-ciphers list contains unsupported ciphers or is too long. Jul 02 17:21:29 openvpn-vtun10[1861372]: Use --help for more information. Jul 02 17:21:29 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE Jul 02 17:21:29 systemd[1]: [email protected]: Failed with result 'exit-code'. Jul 02 17:21:29 systemd[1]: Failed to start [email protected] - OpenVPN connection to vtun10.
Configuration:
set interfaces openvpn vtun10 encryption ncp-ciphers 'none' set interfaces openvpn vtun10 hash 'sha512' set interfaces openvpn vtun10 local-host '10.217.80.116' set interfaces openvpn vtun10 local-port '1195' set interfaces openvpn vtun10 mode 'server' set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 server subnet '10.0.0.0/24' set interfaces openvpn vtun10 server topology 'subnet' set interfaces openvpn vtun10 tls ca-certificate 'root-ca' set interfaces openvpn vtun10 tls certificate 'server1' set interfaces openvpn vtun10 tls dh-params 'dh-1'
vyos@test1# set int openvpn vtun10 encryption ncp-ciphers Possible completions: none Disable encryption 3des DES algorithm with triple encryption aes128 AES algorithm with 128-bit key CBC aes128gcm AES algorithm with 128-bit key GCM aes192 AES algorithm with 192-bit key CBC