1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Disabling OpenVPN encryption/auth completely

Discussion in 'VPN' started by R G G, Jun 19, 2019.

  1. R G G

    R G G Occasional Visitor

    Joined:
    Apr 18, 2019
    Messages:
    12
    I need to disable all CPU intensive aspects of OpenVPN, I understand this defeats the point of using a VPN, but I don't use a VPN to be "secure", per se. I have been forced into using a VPN because of my ISPs abysmal routing, so my only solution is to connect to a local server which provides better routing, and because my router cannot handle OpenVPN's encryption algorithms, I get a fraction of my internet speed. I have access to the .conf file in /etc/openvpn but haven't been able to find any useful tutorial on how to disable encryption. Heres what I have right now:


    port 60646
    proto udp
    dev tun
    user nobody
    group nogroup
    persist-key
    persist-tun
    keepalive 10 120
    topology subnet
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "dhcp-option DNS 1.0.0.1"
    push "dhcp-option DNS 1.1.1.1"
    push "redirect-gateway def1 bypass-dhcp"
    dh none
    ecdh-curve prime256v1
    tls-crypt tls-crypt.key 0
    crl-verify crl.pem
    ca ca.crt
    cert server_f2i6FqpKuVdad786.crt
    key server_f2i6FqpKuVdad786.key
    auth none
    #;auth SHA256
    cipher none
    #;cipher AES-128-GCM
    ncp-disable
    #;ncp-ciphers AES-128-GCM
    #;tls-server
    #;tls-version-min 1.2
    #;tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
    status /var/log/openvpn/status.log
    verb 1​


    Disabled the cipher but it's still using this thing called "Encrypt channel" which I don't know how to get rid of. The OpenVPN official documentation is a mess, can't really find any help on there. Any help would be appreciated.
     
  2. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    220
    Would help if you provided a better picture of the overall configuration/setup. All I see is an OpenVPN server config, and not much else. That leaves us to guess what's connecting to what, where, etc. This "routing" issue you mentioned is unclear.

    If all this OpenVPN connectivity is local (i.e., behind the WAN of your router), and I'd be more inclined to configure a PTP (point to point) tunnel w/o cipher nor hash via scripting, rather than try to manipulate the router's PTMP (point to multipoint) config in the GUI. A PTP tunnel is very simple and uses a static key (which can be eliminated as well) in place of certs and keys.

    Also, the biggest problem in terms of performance is NOT encryption (although it plays a marginal role). It's the fact that OpenVPN runs in user space, and NOT the kernel. That's why even if you use a PTP tunnel as I suggested above, you'll have the same crappy performance. Not unless you have a *very* powerful router, like an ASUS RT-AC86U.
     
    L&LD likes this.
  3. R G G

    R G G Occasional Visitor

    Joined:
    Apr 18, 2019
    Messages:
    12

    I have an RT-AC1750B1, which is similar specs wise to the 68U. PPTP is out of the question because for some reason PPTP servers give me 3 Mbps down and 50 Mbps up. The upload is retained but download is cut by 15 times, which is very odd. L2TP was also an option I looked into but it seems like it'd be easier to disable encryption on OpenVPN rather than pursuing L2TP without IPsec (router doesn't support PSK).

    The routing I was talking about might've confused you, I was actually referring to the physical routes that my ISP uses to guide packets. They don't have very good peering partnerships so they rely on poor IP transit services to get traffic around, but I've managed to find a data center that gives me 2 ms ping, so I bought a VPS from there and use it as a bridge to improve my international routing to access sites and servers with lower ping which is important to me. Problem is, my router bottlenecks at 20 Mbps down / 40 Mbps up with OpenVPN when encryption is enabled. After disabling cipher, I managed to get the full 50 Mbps upload, but download is still lingering around ~30 Mbps, not to mention the buffer bloat caused by the router's CPU maxing out - terrible. I have hope that this might work, becuase disabling cipher definitely helped, but now I'm looking to disable other CPU intensive features, which is why I made this thread.

    If you have any suggestions as to how I can fix the PPTP download speed issue, or how I can disable L2TP's IPsec, I'd be open to giving those protocols another shot. But it seems like OpenVPN is the best path to getting what I want, which is to get the full 50/50 speed of my connection and more importantly no buffer bloat.
     
  4. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    220
    Thanks for the additional details.

    As I said before, the fact that OpenVPN runs in user space and NOT the kernel is the most significant contributor to poor performance. Fiddling around w/ encryption and other settings will provide some marginal improvements, but if you're expecting to get anything near full bandwidth from your ISP (or even your own VPS), forget about it. And it's not just OpenVPN. PPTP is affected as well, and for the same reasons.

    That's why some ppl are turning to Wireguard as an alternative. The author event tauts the fact it runs in the kernel, and thus has better performance. Of course, Wireguard is relatively new, and finding a commercial Wireguard provider could be problematic in some cases. But if you're supporting your own VPN via a VPS, I suppose that becomes a viable option. Or as I said, just get a *much* better router. Even my own ASUS RT-AC68U tops out around 16-18Mbps (download) w/ any VPN.

    Note, my ISP is capable of delivering 120/10Mbps, and using a PC to support the VPN, I can get nearly full bandwidth, at least if the VPN provider doesn't become the bottleneck. So perhaps running the VPN on something other than the router and making *it* the default gateway is another option as well.
     
    Last edited: Jun 20, 2019
  5. R G G

    R G G Occasional Visitor

    Joined:
    Apr 18, 2019
    Messages:
    12

    Thanks for the clear explanation. I've just managed to get L2TP up and running with this auto-setup script. Funnily enough, it says that it installs "IPsec" but somehow lets the router connect without a PSK. I was finding it hard to manually set up L2TP, so this made it really easy and I can now connect via L2TP with no encryption and get 50/50, albeit with +10ms buffer bloat when I evaporate the bandwidth, so it's clearly not perfect either. The problem is now partially solved, but it's a pretty ghetto solution if you ask me.

    I'm still looking into setting up pfSense but unfortunately I don't have a spare PC, only a spare laptop, and obviously you need more than 1 network card for it to behave as a router. There is a way to get around it with VLANs but even that requires expensive managed network switches, and mine's unmanaged. I looked through the Wireguard site and it seems like the only router OS that's supported is OpenWRT, which doesn't run (at least properly), on ASUS routers due to a BroadCom chipset issue, so for now it seems to be out of the question.
     
  6. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    834
    Location:
    USA
    Some here have been running Wireguard on the ASUS RT-AC86U successfully for some time now.
    https://www.snbforums.com/threads/experimental-wireguard-for-rt-ac86u.46164/
     
    R G G likes this.
  7. R G G

    R G G Occasional Visitor

    Joined:
    Apr 18, 2019
    Messages:
    12

    Just set up Wireguard on the VPS and it seems very decent, using it with their PC client now. But I have an AC68U and not 86U, and from my research, apparently the 68U's kernel isn't compatible with wire guard. Any solution or am I out of luck?
     
  8. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    834
    Location:
    USA
    From what I understand, yes, your kernel is too old, and only a new router will have a newer kernel, no way to upgrade the 86U.