In the very first recipe, we created a tunnel in which the data traffic was not encrypted. To create a completely plain text tunnel, we also disable the HMAC authentication. This can be useful when debugging a bad connection, as all traffic over the tunnel can now easily be monitored. In this recipe, we will look at how to do this. This type of tunnel is also useful when doing performance measurements, as it is the least CPU-intensive tunnel that can be established.
Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and the client was running Fedora 13 Linux and OpenVPN 2.1.1.
As we are not using any encryption, no secret keys are needed.
- Launch the server (listening)-side OpenVPN process:
[root@server]# openvpn \ --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun -–auth none
- Then launch the client-side OpenVPN process:
[root@client]# openvpn \ --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun –-auth none\ --remote openvpnserver.example.com
- The connection is established with two warning messages in the output:
… ******* WARNING *******: null cipher specified, no encryption will be used
… ******* WARNING *******: null MAC specified, no authentication will be used
With this setup, absolutely no encryption is performed. All the traffic that is sent over the tunnel is encapsulated in an OpenVPN packet and then sent "as-is".
To actually view the traffic, we can use tcpdump:
- Set up the connection as outlined.
- Start
tcpdumpand listen on the network interface, not the tunnel interface itself:[root]@client]# tcpdump -w -I eth0 -s 0 host openvpnserver \ | strings
- Now, send some text across the tunnel, using something like
nc(Netcat). First, launchncon the server side:[server]$ nc -l 31000 On the client side, launchncin client mode and type the wordshelloandgoodbye.[client]$ nc 10.200.0.1 3100 hello goodbye
- In the
tcpdumpwindow, you should now see: