From 62c89af95425cc5ca2c062cfa1c11f2be756c82c Mon Sep 17 00:00:00 2001
From: angristan <angristan@pm.me>
Date: Sat, 22 Sep 2018 18:18:36 +0200
Subject: [PATCH] Support ncp-ciphers

Since OpenVPN 2.4, there is negotiable crypto parameters (NCP)
It means you can use a cipher suite like with HTTPS. By default the suite is AES-256-GCM:AES-256-CBC, so that means than since 2.4 is out, everyone using a 2.4 client + server was using AES 256 GCM, regardless of the --cipher option. With this commit, the chosen cipher will be the only cipher in the NCP cipher list, thus fixing this issue.
---
 openvpn-install.sh | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 6df111e..956c64e 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -303,22 +303,22 @@ function installQuestions () {
 		done
 		case $CIPHER_CHOICE in
 			1)
-				CIPHER="cipher AES-128-GCM"
+				CIPHER="AES-128-GCM"
 			;;
 			2)
-				CIPHER="cipher AES-192-GCM"
+				CIPHER="AES-192-GCM"
 			;;
 			3)
-				CIPHER="cipher AES-256-GCM"
+				CIPHER="AES-256-GCM"
 			;;
 			4)
-				CIPHER="cipher AES-128-CBC"
+				CIPHER="AES-128-CBC"
 			;;
 			5)
-				CIPHER="cipher AES-192-CBC"
+				CIPHER="AES-192-CBC"
 			;;
 			6)
-				CIPHER="cipher AES-256-CBC"
+				CIPHER="AES-256-CBC"
 			;;
 		esac
 		echo ""
@@ -664,7 +664,8 @@ cert $SERVER_NAME.crt
 key $SERVER_NAME.key
 tls-auth tls-auth.key 0
 auth $HMAC_ALG
-$CIPHER
+cipher $CIPHER
+ncp-ciphers $CIPHER
 tls-server
 tls-version-min 1.2
 tls-cipher $CC_CIPHER
@@ -792,7 +793,7 @@ remote-cert-tls server
 verify-x509-name $SERVER_NAME name
 auth $HMAC_ALG
 auth-nocache
-$CIPHER
+cipher $CIPHER
 tls-client
 tls-version-min 1.2
 tls-cipher $CC_CIPHER