OpenVPN unable to disable encryption

Solution 1:

It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify

ncp-disable

Disable “negotiable crypto parameters”. This completely disables cipher negotiation.

When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is 'AES-256-GCM:AES-128-GCM' which explains why you see AES-256-GCM on your connection.

Solution 2:

Assuming you are running openvpn 2.4 I belive you also need to set

ncp-disable

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Some background:

Openvpn used to require you to manually configure the encryption algorithm to the same value on both ends. This however posed a problem, it made it very difficult to upgrade the encryption on an existing multi-user VPN. In 2016 an attack called "sweet32" was devised, allowing plaintext to be recovered in some circumstances. It wasn't exactly an easy attack to pull off in practice and there was a way of mitigating it without changing cipher but it was still a concerning development.

Openvpn 2.4 introduced a new feature, enabled by default for negotiating crypto parameters. I'm not sure if this was a reaction to sweet32 or a result of general concerns about the implications of being effectively locked into a single cipher-suite.

So when negotiation of crypto parameters is enabled the "cipher" setting effectively acts as a fall-back to be used if the other side of the connection does not support negotiation.