Harden Security by Removing Legacy `AES-256-CBC` Cipher

[janole]

Severity: Low

The server configuration (templates/openvpn/server.conf.template) currently specifies the following for data encryption:
data-ciphers AES-256-GCM:AES-256-CBC

While AES-256-GCM is the primary and highly secure default cipher, the inclusion of AES-256-CBC allows for a potential downgrade. AES-256-CBC is an older cipher that, while not broken, lacks the integrated authentication of GCM mode and can be more susceptible to certain types of attacks (like padding oracle attacks) if not implemented perfectly.

Recommendation

For a more hardened security posture, it is recommended to remove AES-256-CBC from the list of available data ciphers. This ensures that only the most secure and modern cipher, AES-256-GCM, is used for data encryption.

This change reduces the attack surface and enforces the strongest available encryption.

File to modify: templates/openvpn/server.conf.template

Change:

- data-ciphers AES-256-GCM:AES-256-CBC
+ data-ciphers AES-256-GCM

Note: This change may impact very old clients that do not support AES-256-GCM. However, modern and recently updated clients should have no issue with this configuration.