Feat: multiple OpenVPN ciphers for negotiation

- Perfect privacy to accept AES-256-CBC and AES-256-GCM
- Cyberghost default cipher set to AES-256-GCM
- `OPENVPN_CIPHER` accept comma separated cipher values
- Use `ncp-ciphers` for OpenVPN 2.4

internal/provider/utils/cipher.go

@@ -1,17 +1,22 @@
 package utils
 
 import (
+	"strings"
+
 	"github.com/qdm12/gluetun/internal/constants"
 )
 
-func CipherLines(cipher, version string) (lines []string) {
+func CipherLines(ciphers []string, version string) (lines []string) {
 	switch version {
 	case constants.Openvpn24:
-		return []string{"cipher " + cipher}
+		return []string{
+			"cipher " + ciphers[0],
+			"ncp-ciphers " + strings.Join(ciphers, ":"),
+		}
 	default: // 2.5 and above
 		return []string{
-			"data-ciphers-fallback " + cipher,
-			"data-ciphers " + cipher,
+			"data-ciphers-fallback " + ciphers[0],
+			"data-ciphers " + strings.Join(ciphers, ":"),
 		}
 	}
 }

internal/provider/utils/cipher_test.go

@@ -9,24 +9,31 @@ import (
 func Test_CipherLines(t *testing.T) {
 	t.Parallel()
 	testCases := map[string]struct {
+		ciphers []string
 		version string
 		lines   []string
 	}{
 		"empty version": {
+			ciphers: []string{"AES"},
 			lines: []string{
 				"data-ciphers-fallback AES",
 				"data-ciphers AES",
 			},
 		},
 		"2.4": {
+			ciphers: []string{"AES", "CBC"},
 			version: "2.4",
-			lines:   []string{"cipher AES"},
+			lines: []string{
+				"cipher AES",
+				"ncp-ciphers AES:CBC",
+			},
 		},
 		"2.5": {
+			ciphers: []string{"AES", "CBC"},
 			version: "2.5",
 			lines: []string{
 				"data-ciphers-fallback AES",
-				"data-ciphers AES",
+				"data-ciphers AES:CBC",
 			},
 		},
 	}
@@ -35,9 +42,7 @@ func Test_CipherLines(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			const cipher = "AES"
-
-			lines := CipherLines(cipher, testCase.version)
+			lines := CipherLines(testCase.ciphers, testCase.version)
 
 			assert.Equal(t, testCase.lines, lines)
 		})