Followed the dubious https://fedoraproject.org/wiki/OpenVPN tutorial to get
Server Log:
""ERROR: Failed retrieving username or password"" then the server service restarts
Client Log:
"Reconnecting"
which I think is due to there not being a nopass (now there's an extra layer of encryption for the private key if the local device is compromised?).
Client config minus ca, cert, key + tls-crypt which I haven't touched. No idea where I got it.
Client Config
client
proto udp
explicit-exit-notify
remote REDACTED 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name REDACTED name
auth SHA256
auth-nocache #google told me to add
auth-user-pass #google told me to add
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 4
Server Config
port 1194
proto udp
dev tun
user nobody #What is this?
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server REDACTED 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS REDACTED"
push "dhcp-option DNS REDACTED"
push "route REDACTED 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
dh keys/dh.pem #what is this?
sndbuf 512000
rcvbuf 512000
push "sndbuf 512000"
push "rcvbuf 512000"
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca keys/ca.crt
cert keys/REDACTED.crt
key keys/REDACTED.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 6
Of course, in general I have no idea what I'm doing, what TLS etc is, but it took me a short time to set it up the first time. Now it seems that there's something that wasn't covered by the new tutorial.