One more thing to note ... some of VPN's messages are just "pure crap."
Even on the server-log side, they were written by programmers in programmer
terms such that they basically don't give any useful information at all
about the nature of the actual problem.
Classic example I had of this, when trying to connect, was "self-signed certificate in chain." Or something to that effect. And, yes, the server certificate (which was being used for many successful connections) was
indeed self-signed ... but that was not the actual problem. It turns out that the person-in-charge had actually sent me the wrong ca.crt
file ... one in which the "state" field was "Pa" not "PA." (Therefore, the cert did not "match.") The message given, while technically correct in terms of describing the outcome of the connection attempt, gave no useful diagnostic information to any of us that would point to what was actually wrong ... not to the party trying to connect, and not to the back-end folks who were entitled to know details. There are a lot
"WTFs" like that in this territory (regardless of implementation).