One more thing to note ... some of VPN's messages are just "pure crap."
Even on the server-log side, they were written by programmers in
programmer terms such that they basically don't give any useful information at all
about the nature of the actual problem.
Classic example I had of this, when trying to connect, was "self-signed certificate in chain." Or something to that effect. And, yes, the server certificate (which was being used for many successful connections)
was indeed self-signed ... but that was not the actual problem. It turns out that the person-in-charge had actually sent me the wrong
ca.crt file ... one in which the "state" field was "Pa" not "PA." (Therefore, the cert did not "match.") The message given, while technically correct in terms of describing the outcome of the connection attempt, gave no useful diagnostic information to any of us that would point to what was actually wrong ... not to the party trying to connect, and not to the back-end folks who were entitled to know details. There are a
lot of
"WTFs" like that in this territory (regardless of implementation).