feat: TLS mode selection during install + client temporary disable/enable

[AliHzSec]

Summary

This PR adds two features to improve compatibility and client management.

---

Problem 1: tls-crypt-v2 hardcoded default breaks Cisco/MikroTik compatibility

The installer always enables tls-crypt-v2 with no option to change it
during setup (only through the advanced encryption path). Profiles with a
<tls-crypt-v2> block are not compatible with Cisco IOS or MikroTik
OpenVPN clients — they fail with authentication errors. Manually removing
the block from the .ovpn file also fails because the server still expects
the TLS key.

Fix

A TLS control channel security question is now asked during installation,
in both simple and advanced encryption modes:

Choose the TLS control channel security mode:
Note: tls-crypt-v2 and tls-crypt are NOT compatible with Cisco or MikroTik routers.
   1) tls-crypt-v2 (recommended): Unique key per client, strongest protection
   2) tls-crypt: Shared key, encrypts control channel
   3) tls-auth: Shared key, authenticates control channel (no encryption)
   4) none: No TLS security (required for Cisco/MikroTik router compatibility)

When none is selected, no TLS key is generated and no TLS directive is
written to server.conf. The generated .ovpn contains no TLS block and
works on Cisco/MikroTik clients.

Also available via CLI: --tls-sig none

---

Problem 2: No way to temporarily disable a client

The only way to block a client was to permanently revoke their certificate,
which cannot be undone. There was no suspend/resume functionality.

Fix

Uses the client-config-dir + ccd-exclusive mechanism already supported
by OpenVPN:

• ccd-exclusive added to server.conf — only clients with a file in the
  CCD directory can connect
• Empty CCD file created automatically when a client is added
• CCD file removed when a client is revoked

Two new operations:

Disable (blocks access, certificate stays valid):

openvpn-install client disable alice

Removes the CCD file and immediately disconnects the client via the
management socket. The client cannot reconnect until re-enabled.

Enable (restores access):

openvpn-install client enable alice

Recreates the CCD file. The client can connect again.

Both operations are available in the interactive menu (options 4 and 5).
client list now shows Disabled status for valid certs with no CCD file.

---

Changes

Function/Area	Change
installQuestions()	TLS mode question added for both simple and advanced paths
installOpenVPN()	Handle TLS_SIG=none in key generation and server.conf; add ccd-exclusive with absolute CCD path
newClient()	Create CCD file automatically
revokeClient()	Remove CCD file on revocation
disableClient()	New — removes CCD file and disconnects client
enableClient()	New — recreates CCD file
cmd_client_disable/enable()	New CLI handlers
listClients()	Shows Disabled status
manageMenu()	Updated with options 4 (Disable) and 5 (Enable)

Testing

Tested on Ubuntu 24.04 with OpenVPN 2.6.x:

• Install with each TLS mode (crypt-v2, crypt, auth, none)
• none mode: no key generated, no directive in server.conf, clean .ovpn
• Client add → CCD file created automatically
• client disable → client disconnected, cannot reconnect
• client enable → client can reconnect
• client revoke → CCD file removed alongside certificate
• client list → correct status (Valid / Disabled / Revoked)