From 4330030196dbda795608c9e4990616dac6901259 Mon Sep 17 00:00:00 2001
From: Nikolay Dachev <nikolay.dachev@suse.com>
Date: Mon, 24 Feb 2025 12:38:43 +0200
Subject: [PATCH] feat(data ciphers): add data-ciphers and
 data-ciphers-fallback support

---
 openvpn/files/common_opts.jinja | 8 ++++++++
 pillar.example                  | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/openvpn/files/common_opts.jinja b/openvpn/files/common_opts.jinja
index 0f8adf6..cab06c3 100644
--- a/openvpn/files/common_opts.jinja
+++ b/openvpn/files/common_opts.jinja
@@ -205,6 +205,14 @@ cipher "{{ cipher }}"
 {%- endfor %}
 {%- endif %}
 
+{%- if config.data_ciphers is defined %}
+data-ciphers "{{ config.data_ciphers }}"
+{%- endif %}
+
+{%- if config.data_ciphers_fallback is defined %}
+data-ciphers-fallback "{{ config.data_ciphers_fallback }}"
+{%- endif %}
+
 {%- if config.tls_cipher is defined %}
 tls-cipher {{ config.tls_cipher }}
 {%- endif %}
diff --git a/pillar.example b/pillar.example
index ae941df..76d09bc 100644
--- a/pillar.example
+++ b/pillar.example
@@ -139,6 +139,9 @@ openvpn:
       # see https://bettercrypto.org/static/applied-crypto-hardening.pdf
       ciphers:
         - AES-256-CBC
+      # for version 2.5+ - https://community.openvpn.net/openvpn/wiki/CipherNegotiation
+      data_ciphers: "AES-256-GCM:AES-128-GCM"
+      data_ciphers_fallback: "AES-256-CBC"
       auths:
         - SHA384
       # yamllint disable-line rule:line-length