share tls key is not present in client template (openvpn 2.6 / easyrsa 3.1)

[EugenMayer]

This is our client config

{{- range $server := .Hosts }}
remote {{ $server.Host }} {{ $server.Port }} {{ $server.Protocol }}
{{- end }}

verb 1
client
nobind
dev tun
key-direction 1
tls-client
remote-cert-tls server
mute 3
resolv-retry infinite

# those values MUST match on server AND client
fragment 1300
mssfix 1300
comp-lzo no

# no cipher setting, should be automatically negotiated

{{- if .PasswdAuth }}
auth-user-pass
{{- end }}

<cert>
{{ .Cert -}}
</cert>
<key>
{{ .Key -}}
</key>
<ca>
{{ .CA -}}
</ca>
<tls-auth>
{{ .TLS -}}
</tls-auth>

The server config includes

cat server.conf| grep tls-auth
tls-auth ./ta.key 0

And is located at /etc/openvpn/server.conf, the shared secret is right next to it

ls -la /etc/openvpn/ta.key
-rw------- 1 root root 636 Oct 31 23:31 /etc/openvpn/ta.key

Still when downloading a client configuration, <tls-auth> is not populated (empty). I need to add it manually so the import / client connection actually works.

We are using debian 12 (bookworm) and thus easyrsa 3.1+ (not fully supported, but we fixed that) and also openvpn 2.6.6.

I assume the latter might be an issue, did something change on the management API part?

[EugenMayer]

using an absolut path for the ta.ky /etc/openvpn/ta.key did not help either

[pashcovich]

ovpn-admin does not read server.conf and waits for ta.key on the path easyrsaDirPath + /pki/ta.key

[EugenMayer]

@pashcovich thank you for the help. I cannot find anything about that in the docs - did i miss that - if it is missing, should we add it?

[pashcovich]

there is no info about this in the docs. I will think about adding a note on this