Feature: Change of default cipher algorithm
Reason: The current default cipher in OpenVPN uses BF-CBC (Blowfish) which is considered a very weak cipher these days, especially after the SWEET32 issue (https://sweet32.info/) which was publicised in 2016.
Result: OpenVPN v2.4 supports a fairly simple negotiation of crypto parameters. This allows OpenVPN to let clients connect using independent cipher settings.
This change will *only* affect OpenVPN servers using the openvpn-server@.service unit file.
This change moves the default cipher to AES-256-GCM while keeping backwards compatibility to older clients not supporting GCM to connect using either BF-CBC, AES-128-CBC or AES-256-CBC. If --cipher is not provided in the client OpenVPN configuration file, BF-CBC will be used as the default. Those client configurations can be updated on a one-by-one approach to use at least --cipher AES-128-CBC or --cipher AES-256-CBC. For any clients running OpenVPN v2.4 or newer, they will by default switch to AES-256-GCM automatically regardless of the --cipher values.
This behaviour can be overridden on the server side by changing/adding --cipher to the configuration file. The list of ciphers being allowed can be modified by changing/adding --ncp-ciphers.