openvpn: update to 2.5.0

New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>

net/openvpn/files/openvpn.config

@@ -254,6 +254,24 @@ config openvpn sample_server
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"
 
+	# List the preferred ciphers to use for the data channel.
+	# Run openvpn --show-ciphers to see all supported ciphers.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher in order to be compatible with
+	# peers that do not support cipher negotiation.
+	#
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
+
 	# OpenVPN versions 2.4 and later will attempt to
 	# automatically negotiate the most secure cipher
 	# between the client and server, regardless of a
@@ -265,21 +283,6 @@ config openvpn sample_server
 	# cipher option instead (not recommended).
 #	option ncp_disable
 
-	# Select a cryptographic cipher.
-	# This config item must be copied to
-	# the client config file as well.
-	#
-	# To see all supported ciphers, run:
-	# openvpn --show-ciphers
-	#
-	# Blowfish (default for backwards compatibility,
-	# but not recommended due to weaknesses):
-#	option cipher BF-CBC
-	# AES:
-#	option cipher AES-128-CBC
-	# Triple-DES:
-#	option cipher DES-EDE3-CBC
-
 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
@@ -293,6 +296,15 @@ config openvpn sample_server
 	# LZO is compatible with most OpenVPN versions
 	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
 #	option compress lzo
+	# Control how OpenVPN handles peers using compression
+	#
+	# Do not allow any connections using compression
+#	option allow_compression 'no'
+	# Allow incoming compressed packets, but do not send compressed packets to other peers
+	# This can be useful when migrating old configurations with compression activated
+#	option allow_compression 'asym'
+	# Both incoming and outgoing packets may be compressed
+#	option allow_compression 'yes'
 
 	# The maximum number of concurrently connected
 	# clients we want to allow.
@@ -449,10 +461,21 @@ config openvpn sample_client
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"
 
-	# Select a cryptographic cipher.
-	# If the cipher option is used on the server
-	# then you must also specify it here.
-#	option cipher x
+	# List the preferred ciphers for the data channel.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher if you connect to a peer that does
+	# not support cipher negotiation.
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
 
 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also

net/openvpn/files/openvpn.options

@@ -1,10 +1,12 @@
 OPENVPN_PARAMS='
+allow_compression
 askpass
 auth
 auth_retry
 auth_user_pass
 auth_user_pass_verify
 bcast_buffers
+bind_dev
 ca
 capath
 cd
@@ -21,6 +23,7 @@ connect_retry
 connect_retry_max
 connect_timeout
 crl_verify
+data_ciphers_fallback
 dev
 dev_node
 dev_type
@@ -51,7 +54,6 @@ iroute_ipv6
 keepalive
 key
 key_direction
-key_method
 keysize
 learn_address
 link_mtu
@@ -69,7 +71,6 @@ mssfix
 mtu_disc
 mute
 nice
-ns_cert_type
 ping
 ping_exit
 ping_restart
@@ -116,6 +117,9 @@ syslog
 tcp_queue_limit
 tls_auth
 tls_crypt
+tls_crypt_v2
+tls_crypt_v2_verify
+tls_export_cert
 tls_timeout
 tls_verify
 tls_version_min
@@ -129,6 +133,8 @@ user
 verb
 verify_client_cert
 verify_x509_name
+vlan_accept
+vlan_pvid
 x509_username_field
 '
 
@@ -137,6 +143,7 @@ allow_recursive_routing
 auth_nocache
 auth_user_pass_optional
 bind
+block_ipv6
 ccd_exclusive
 client
 client_to_client
@@ -185,10 +192,13 @@ tls_server
 up_delay
 up_restart
 username_as_common_name
+vlan_tagging
 '
 
 OPENVPN_LIST='
+data_ciphers
 ncp_ciphers
 tls_cipher
 tls_ciphersuites
+tls_groups
 '