add ciphers configuration support for version 2.5+

data-ciphers
data-ciphers-fallback

Author: NikolayDachev

openvpn/files/common_opts.jinja

@@ -205,6 +205,14 @@ cipher "{{ cipher }}"
 {%- endfor %}
 {%- endif %}
 
+{%- if config.data_ciphers is defined %}
+data-ciphers "{{ config.data_ciphers }}"
+{%- endif %}
+
+{%- if config.data_ciphers_fallback is defined %}
+data-ciphers-fallback "{{ config.data_ciphers_fallback }}"
+{%- endif %}
+
 {%- if config.tls_cipher is defined %}
 tls-cipher {{ config.tls_cipher }}
 {%- endif %}

pillar.example

@@ -139,6 +139,9 @@ openvpn:
       # see https://bettercrypto.org/static/applied-crypto-hardening.pdf
       ciphers:
         - AES-256-CBC
+      # for version 2.5+ - https://community.openvpn.net/openvpn/wiki/CipherNegotiation
+      data_ciphers: "AES-256-GCM:AES-128-GCM"
+      data_ciphers_fallback: "AES-256-CBC"
       auths:
         - SHA384
       # yamllint disable-line rule:line-length