See #206 for context.

This commit contains lots changes which are not very significant on its own but
provide important usability improvements and future proofing.

It also includes changes which required OpenVPN v2.4+ and were pending until
that version became widely available.

- General cleanup
- Improved IP address and NAT configuration
- Added input validation and sanitization
- Fix #603
- Remove "sndbuf" and "recvbuf" parameters
- Add server-side "explicit-exit-notify"
- Switch from "setenv opt" to "ignore-unknown-option"
- Switch from "tls-auth" to "tls-crypt"
- Other minor bugfixes and optimizations

LowEndSpirit no longer requires that.

LowEndSpirit fixed the issue on their end, so this is longer needed.

Additionally, the check causes unneeded trouble for users whose system doesn't
have the iptables package installed.

Clients will be provided with IPv6 connectivity if the server has it.

Other very small and unimportant improvements are also included in this commit.

- Verisign removed (performance is subpar compared to competitors)
- NTT is back (fast and reliable)
- AdGuard added (for ad blocking)

- Fix #694: added sanitization during the public IP address configuration and
switch to AWS checkip since the Akamai service doesn't support HTTPS.
- Add validation to cover an unlikely case where: server is behind NAT,
checkip service is unreachable and user doesn't provide input when asked for
the public IP address or hostname.
- Other small improvements not worth describing in detail.

- Use a checkip service which works fine over HTTP to avoid issues in systems
where ca-certificates is not available
- Increase timeout to 10 seconds, because the new service is a bit slower from
some locations
- Improve grep sanitization

- Made OS detection more flexible and fine-grained
- Fedora is now officially supported

- Always use firewalld for CentOS and Fedora
- Cleaner check to find out if firewalld is active

New logic makes way more sense:
- If either firewalld or iptables are present, use whatever we have
- If not, install firewalld in CentOS/Fedora and iptables in Debian/Ubuntu

The new systemd service at `/usr/lib/systemd/system/[email protected]` that comes with openvpn 2.4 includes the status option in `ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf`

Using this default allows to have multiple servers with their own status files and all in the same log directory. Example `/run/openvpn-server/status-server.log` `/run/openvpn-server/status-server2.log`

nf_tables is not available in old OpenVZ kernels, so we need to use
iptables-legacy instead.

This issue only affects Debian 10 as it is the only distribution using iptables
with a nf_tables backend by default.

This is supposedly resolved in the newest kernels: https://bit.ly/3fgNZCh

Additionally, a bugfix for the ip6tables path is also included.

This test is more reliable and flexible.

No need to write the tarball to disk.

While it looks hackish, I don't think there's a better way (in Bash) to open
the /dev/net/tun character device.

Checking for presence of /dev/net/tun like were doing is not good enough.

Fix for the mistaken stderr redirection, sorry about that. Also, run in a
subshell so we don't need to manually close the file descriptor.

Variables which can be empty, shouldn't be quoted in this situation.

egrep IP regex optimizations

`30-openvpn-forward.conf` renamed to `99-openvpn-forward.conf`.

Increase priority of openvpn-forward.conf

An unrelated fix to avoid one harmless warning during removal is also included.

git.io will stop functioning by the end of this workweek:
https://github.blog/changelog/2022-04-25-git-io-deprecation/

git.io will not stop functioning after all:
https://github.blog/changelog/2022-04-25-git-io-deprecation/?#changelog-64536

Some systems have other DNS servers along with 127.0.0.53 in /etc/resolv.conf

This is mainly to work around a bug in Viscosity for macOS:
https://www.sparklabs.com/forum/viewtopic.php?t=3152

--no-install-recommends is now required for Debian:
OpenVPN/easy-rsa#725

--cipher has been deprecated since v2.4 and was kept for compatibility purposes.

The following versions are no longer supported:
- Debian 10
- Ubuntu 18.04
- Ubuntu 20.04
- CentOS/Alma/Rocky 7
- CentOS/Alma/Rocky 8
- Fedora 31