Epic : modernize openvpn service

this issue is a placeholder for work related to modernizing OpenVPN containers. Part of it has to do with reviewing the configuration for an openvpn node, part of it will need coordinated efforts with menshen for smooth discovery and gateway selection (and transition from a system with legacy clients, like will happen when riseup lands this).

we should properly plan about these tasks, but I wanted to dump all of them together for reference, and so that proper planning can be made around them. we should decide what goes in for the next two releases.

for jnk there's this container, that doesn't need a separate CA: https://0xacab.org/leap/openvpn-docker-standalone - some of the config options can be compared with what's run there.

• use EC keys for authentication (phase out RSA) #77 (closed)
• ensure we configure DCO in the server side. it'd be good to mark it as a flag visible in the gateways for benchmark/testing too. (I assume DCO will greatly improve concurrency).https://github.com/OpenVPN/ovpn-dco #106 (closed)
• review/enable BBR congestion optionally in some of the nodes, to compare performance - see for instance https://protonvpn.com/blog/vpn-accelerator/ #107
• ensure we have a plan for CA rotation #98
• ensure we allow a diversity of configurations for different gateways (this has to do with moving configuration parameters to gateway, from service block).
• add tls-crypt-v2 support (needs menshen changes, because we'll have to generate and distribute a key for each client, see https://cryptostorm.is/blog/tlscryptv2)
• add menshen_agent as a sidecar service #25
• ensure we make sure there's as little identifying information in the CA as possible (this is visible in the clienthello during vanilla OpenVPN handshake when tls-crypt is not used, although this is less of an issue if we adopt tls-crypt)