Seems to me the concerns expressed about PSK (pre-shared key) are unwarranted.
When dealing w/ OpenVPN, we have to be very clear about the definition and purpose of PSK. In OpenVPN parlance, PSK is referred to as a Static Key, and I will refer to it by that terminology from herein out.
A static key can be used in two very different contexts.
If you create a tunnel based on a static key (which AFAIK, no commercial OpenVPN provider offers), then yes, use of a static key that's shared by everyone would indeed be pointless, since that's the *only* authentication/encryption provided. Use of a static key in this context is nothing more than the equivalent of a
one-time pad. And so let's put that usage of a static key aside for the time being.
More commonly, commercial OpenVPN providers use TLS to configure their systems, and a static key in that context is *only* used to authenticate packets (specifically, using the tls-auth or tls-crypt directive). IOW, to make sure the packets indeed came from a client that was configured for that server. But the primary (perhaps only) benefit of this feature is to prevent/mitigate DOS/DDOS attacks. If the static key used to encrypt the packets is wrong, the server can *immediately* throw the packet away, and therefore NOT waste time and resources establishing a connection only to find out later the connection attempt is illegitimate (e.g., invalid private key). That's why the use of a static key when using TLS is optional. In many cases, it's just not worth the effort, esp. if it's shared by all (obviously a hacker could/would know it). And that's why for home-users w/ their own OpenVPN server, using a static key is probably not worth the trouble either, even if it remains a secret. The chances you will encounter a DOS/DDOS attack are slim. And even if you do, your ability to thwart it is highly improbable. You'd be better off to contact your ISP and see what they can do to help you.
When using TLS, your security comes from the private/public keypair used to encrypt and authenticate the connection, and the *dynamically* created, every changing session (static) key used to encrypt *data* packets. THAT'S THE ONE THAT REALLY MATTERS!
In fact, you'll sometimes see OpenVPN providers instruct their users to add the following to the custom config field.
What this does is
disables regeneration of the session (static) key! If anything is putting your security at risk, it's this directive! By default, the key is regenerated every 3600 seconds, but can be anything you want using the reneg-sec directive, perhaps every 60 seconds in some cases if you have real concerns. Of course, that adds overhead. And that's why some OpenVPN providers would prefer you disable it (although they never come right out and state that's the reason; they just hope you will naively do as they instruct). Preventing constant regeneration of the session (static) key over many thousands of users adds up in terms of saving resources on the part of the provider, but at the price of YOUR security.
None of this is to say that managing your own OpenVPN server in the cloud can't provide other advantages (and disadvantages). But this issue w/ the static key, imo, is bogus (or at least the concern is vastly overstated). For the longest time, I didn't even use a static key (tls-auth) w/ my OpenVPN server, and was none the worse for it. Eventually I did, mostly because everyone else was, and it didn't hurt to have it. But it wouldn't concern me in the least if I disabled it tomorrow.
