Hi, everyone. I have started to play with openvpn and was trying to use crypt-tls (ovpn 2.4+) config option on it with no success. In log it says:
TLS Error: tls-crypt unwrapping failed from…
I have generated the openvpn ta.key with command: (so it must be ok)
openvpn --genkey --secret /etc/openvpn/ta.key
Client: (client log with verb=5 says it consumed the ta.key)
<tls-crypt>
My Copied Key With Same Data as in: ta.key
</tls-crypt>
Server:
option tls_crypt ‘/etc/openvpn/ta.key’
I’m using default openvpn setup generated via Foris on port 1194, firewall should be opened by it. I was using windows OpenVPN GUI (2.5+) client from local PC, it worked without “tls-crypt”.
Any advice?
Does this even work on TurrisOS, c’mon anyone? 
Some time ago i found that tls-auth is kind of not working by default. I struggle with it a bit. I make it working, but later i found that RPI2/3 devices are not able to cope with it (due client/server version difference and support/non support for some features).
tl:dr: Options error: specify only one of --tls-server, --tls-client, or --secret
With that i tried own “ciphers”, no luck, it breaks it. Better to let opevpn pick ciphers from default. Using min/max directive for TLS also needs to be matching (and again better to not specify it , openvpn use default ). if not matching and only one side has it specified, it again fails (i dig around it and it is related to handshake step … each directive is parsed , tested/validated , some are used to assembly some sort of hash/token indicating client/server configuration (like really condensed info), and it should match on both sides, if that for some reason is not matching tunnel breaks …). To see that in log you have to set maximum debug level on client. It is lot of reading.
here are TLS related directives i've used some time ago in server config
option fast_io '1’ option persist_tun '1’ option persist_key '1’ option persist_local_ip '1’ option mode 'server’ option tls_server '1’ option tls_exit '1’ option auth_nocache '1’ option auth 'SHA1’ option cipher 'BF-CBC’ option float '1’ option reneg_sec '30’ option enabled '1’ option tls_auth '/etc/openvpn/certs/ta.key’ option remote_cert_tls 'client’ option tls_version_min '1.0’ option client_to_client '1’
tls related stuff in client (win10) config
auth SHA1 cipher BF-CBC mssfix 0 fragment 0 remote-cert-eku "TLS Web Server Authentication" tls-auth "C:\Program Files\OpenVPN\config\tauth.key"
it comes fromy my oldish post (before Foris openvpn plugin was introduced, so all stuff was manual or via luci,it is in CZ , but sourced links are very usefull for study what-where-how 
) … Kterak jsem si rozchodil (aspon doufam) openVPN - Všeobecná diskuze [CZ] - Turris forum
good luck
EDIT: some reading https://openvpn.net/access-server-manual/configuration-tls-settings/