OpenVPN TLS Error: tls-crypt unwrapping failed

[brzvlg]

Hello!
I can't connect my OpenVPN client on RT-AC68U router (Asuswrt-Merlin version 386.11) to OpenVPN 2.5.5 (linux) server.
I couldn't connect even after I changed the default port and protocol to 55777/TCP.

But:

I tried to connect from a smartphone with the configuration file as below (Internet provider was also not changed) - this connection work.
I tried to connect from my router with stock firmware - this connection works.

If anyone has come across the same situation or similar or have any thoughts on this situation - please tell me))

client.ovpn

client
dev tun
proto tcp-server
remote <IP> 55777
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
tls-client
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>

server.conf

port 55777
proto tcp-server
dev tun
ca ca.crt
cert <server>.crt
key <server>.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 6

openvpn.log

MULTI: multi_create_instance called
Re-using SSL/TLS context
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
TCP connection established with [AF_INET]IP:port
TCPv4_SERVER link local: (not bound)
TCPv4_SERVER link remote: [AF_INET]IP:port
IP:port TCPv4_SERVER READ [54] from [AF_INET]IP:port: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 1454576213 2901697534 1650249908 1401841773 446090794 3405874145 562729282 3043350528 356 2070450688 0 ]
IP:port TLS: Initial packet from [AF_INET]IP:port, sid=68820f60 277402ee
IP:port tls-crypt unwrap error: packet authentication failed
IP:port TLS Error: tls-crypt unwrapping failed from [AF_INET]IP:port
IP:port Fatal TLS error (check_tls_errors_co), restarting
IP:port SIGUSR1[soft,tls-error] received, client-instance restarting
TCP/UDP: Closing socket

router log

NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Re-using SSL/TLS context
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
TCP/UDP: Preserving recently used remote address: [AF_INET]public IP:55777
Socket Buffers: R=[87380->87380] S=[16384->16384]
Attempting to establish TCP connection with [AF_INET]public IP:55777
TCP connection established with [AF_INET]public IP:55777
TCPv4_CLIENT link local: (not bound)
TCPv4_CLIENT link remote: [AF_INET]public IP:55777
TCPv4_CLIENT WRITE [54] to [AF_INET]public IP:55777: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 1720593455 198464590 1222502404 1119666410 3836811855 2859902725 130295184 3021454336 356 2070527488 0 ]
Connection reset, restarting [0]
TCP/UDP: Closing socket
SIGUSR1[soft,connection-reset] received, process restarting
Restart pause, 300 second(s)

 

[brzvlg]

I solved my problem. I removed the "key-direction 1" directive and did as in the screenshot.

server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert vpnserv.crt
key vpnserv.key # This file should be kept secret
dh none
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA512
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 4