openvpn: migrate deprecated 'cipher' and add fall-back to old cipher

3 files changed, 4 insertions, 2 deletions

diff --git a/config/roles/openvpn/templates/tcp.conf.j2 b/config/roles/openvpn/templates/tcp.conf.j2
index 958c612..252f315 100644
--- a/config/roles/openvpn/templates/tcp.conf.j2
+++ b/config/roles/openvpn/templates/tcp.conf.j2
@@ -5,7 +5,7 @@ ca /etc/leap/ca/leap_ca_bundle.crt
 cert /etc/credentials/sspki/openvpn/cert.pem
 key /etc/credentials/sspki/openvpn/private.key
 dh /etc/leap/keys/dh.pem
-cipher AES-256-GCM
+data-ciphers AES-256-GCM:AES-128-CBC
 tls-version-min 1.2
 dev tun
 duplicate-cn
diff --git a/config/roles/openvpn/templates/udp.conf.j2 b/config/roles/openvpn/templates/udp.conf.j2
index 3da2231..640a450 100644
--- a/config/roles/openvpn/templates/udp.conf.j2
+++ b/config/roles/openvpn/templates/udp.conf.j2
@@ -5,7 +5,7 @@ ca /etc/leap/ca/leap_ca_bundle.crt
 cert /etc/credentials/sspki/openvpn/cert.pem
 key /etc/credentials/sspki/openvpn/private.key
 dh /etc/leap/keys/dh.pem
-cipher AES-256-GCM
+data-ciphers AES-256-GCM:AES-128-CBC
 tls-version-min 1.2
 dev tun
 duplicate-cn
diff --git a/group_vars/all/openvpn_config.yml b/group_vars/all/openvpn_config.yml
index fcc3bfe..9c04665 100644
--- a/group_vars/all/openvpn_config.yml
+++ b/group_vars/all/openvpn_config.yml
@@ -3,6 +3,7 @@ openvpn_config:
   'tls-version-min': '1.2'
   'auth': 'SHA512'
   'cipher': 'AES-256-GCM'
+  'data-ciphers': 'AES-256-GCM'
   'keepalive': '10 30'
   'tls-cipher': 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'
   'dev': 'tun'
@@ -12,6 +13,7 @@ openvpn_config:
   'persist-key': true
   'key-direction': '1'
   'verb': '3'
+  'float': ''
 
 # You can leave this rfc1918 ip block as it is
 openvpn_tcp_network: "10.41.0.0/21"