openvpn: update to 2.5.0

New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>

net/openvpn/files/openvpn.config

@@ -254,6 +254,24 @@ config openvpn sample_server
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"
 
+	# List the preferred ciphers to use for the data channel.
+	# Run openvpn --show-ciphers to see all supported ciphers.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher in order to be compatible with
+	# peers that do not support cipher negotiation.
+	#
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
+
 	# OpenVPN versions 2.4 and later will attempt to
 	# automatically negotiate the most secure cipher
 	# between the client and server, regardless of a
@@ -265,21 +283,6 @@ config openvpn sample_server
 	# cipher option instead (not recommended).
 #	option ncp_disable
 
-	# Select a cryptographic cipher.
-	# This config item must be copied to
-	# the client config file as well.
-	#
-	# To see all supported ciphers, run:
-	# openvpn --show-ciphers
-	#
-	# Blowfish (default for backwards compatibility,
-	# but not recommended due to weaknesses):
-#	option cipher BF-CBC
-	# AES:
-#	option cipher AES-128-CBC
-	# Triple-DES:
-#	option cipher DES-EDE3-CBC
-
 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
@@ -293,6 +296,15 @@ config openvpn sample_server
 	# LZO is compatible with most OpenVPN versions
 	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
 #	option compress lzo
+	# Control how OpenVPN handles peers using compression
+	#
+	# Do not allow any connections using compression
+#	option allow_compression 'no'
+	# Allow incoming compressed packets, but do not send compressed packets to other peers
+	# This can be useful when migrating old configurations with compression activated
+#	option allow_compression 'asym'
+	# Both incoming and outgoing packets may be compressed
+#	option allow_compression 'yes'
 
 	# The maximum number of concurrently connected
 	# clients we want to allow.
@@ -449,10 +461,21 @@ config openvpn sample_client
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"
 
-	# Select a cryptographic cipher.
-	# If the cipher option is used on the server
-	# then you must also specify it here.
-#	option cipher x
+	# List the preferred ciphers for the data channel.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher if you connect to a peer that does
+	# not support cipher negotiation.
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
 
 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also