Some time ago i found that tls-auth is kind of not working by default. I struggle with it a bit. I make it working, but later i found that RPI2/3 devices are not able to cope with it (due client/server version difference and support/non support for some features).
tl:dr: Options error: specify only one of --tls-server, --tls-client, or --secret
With that i tried own “ciphers”, no luck, it breaks it. Better to let opevpn pick ciphers from default. Using min/max directive for TLS also needs to be matching (and again better to not specify it , openvpn use default ). if not matching and only one side has it specified, it again fails (i dig around it and it is related to handshake step … each directive is parsed , tested/validated , some are used to assembly some sort of hash/token indicating client/server configuration (like really condensed info), and it should match on both sides, if that for some reason is not matching tunnel breaks …). To see that in log you have to set maximum debug level on client. It is lot of reading.
here are TLS related directives i've used some time ago in server config
auth SHA1 cipher BF-CBC mssfix 0 fragment 0 remote-cert-eku "TLS Web Server Authentication" tls-auth "C:\Program Files\OpenVPN\config\tauth.key"
it comes fromy my oldish post (before Foris openvpn plugin was introduced, so all stuff was manual or via luci,it is in CZ , but sourced links are very usefull for study what-where-how ) … Kterak jsem si rozchodil (aspon doufam) openVPN