Disable cipher negotiation for 2.4 clients

This seems like a little change but it was not easy to find.

I want this script to support only OpenVPN 2.4 servers, but also 2.4 and 2.3 clients.

The thing is, the OpenVPN 2.3 client doesn't care at all what cipher the server wants to use. The cipher parameter in the client config is the king here.

But with OpenVPN 2.4, you can specify whatever cipher you want, the clients and the server will negotiate the best cipher possible, which is AES-256-GCM right now. The use of --ncp-ciphers cipher_list is useless because a 2.3 client will still use its cipher and a 2.4 client will still use AES-256-GCM.

I won't detail all my experiments here, but in the end, ncp-disable disable the cipher negotiation for 2.4 clients. But it will only work if the cipher in the server config and the client config are the same, and as they are in the script, it's ok. This is not the best solution because that means if you want to support a 2.3 client, you'll be forced to use one and only one AES-CBC cipher, even with your 2.4 clients, even though you could use a different cipher for each client. But as we're still using AES and OpenVPN 2.4 getting more and more deployed, this is not a too big issue in the end. Also adding menus to to choose what kind of client you want etc would make the script pretty complicated, so this is a good compromise here.

TL;DR: ncp-disable enforces a OpenVPN 2.4 client to use the specified cipher in the server and the client config.

See here for me details regarding the data channel cipher negotiation in OpenVPN 2.4 : https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAJ

openvpn-install.sh

@@ -658,6 +658,7 @@ elif [[ $DH_TYPE == "2" ]]; then
 fi
 echo "auth $HMAC_AUTH
 $CIPHER
+ncp-disable
 tls-server
 tls-version-min 1.2
 tls-cipher $CC_ENC