A critical feature of their dwellings, is not simply "how to get into them," but quite literally, "how to find them." As this YouTube clip from the movie demonstrates, the dwarves hid their kingdoms behind magical doors in the side of cliffs ... doors whose very existence was concealed.
(1:06) "Dwarf doors are invisible when closed. [Even...] their masters cannot find them, if their secrets are forgotten ..."
In other words ... "a Dwarvish Door."
Effective use of OpenVPN security requires that you, first(!) of all, entirely give-up on the notion of relying on "passwords" (a.k.a. "PSKs = Pre-Shared Keys" in VPN parlance ...) to provide security. Instead, you must rely on one-of-a-kind, unique, cryptographically-secure badges, a.k.a. "digital certificates." The rule is very simple: "either you possess such a thing, or you do not." And, "either the one-of-a-kind certificate that you possess has been revoked, or it has not."
(This is, of course, precisely the same thing that you encounter every day when you arrive at your office: you "swipe your badge." No one is ever standing there, requiring you to "say the magic word ...")
In the case of tls-auth, two digital certificates are required. The first is needed simply to cause the server to respond to you at all. The second is needed to gain access.
Many companies erroneously rely upon other technologies, such as ssh, as their first line of digital defense. Others use "conventional" VPN technologies, such as ipSEC. The trouble with these technologies is not only that "they can be brute-forced," but that "they can be detected(!)." Script-kiddies are constantly patrolling the Internet looking for new targets, and, when they detect a new one, will promptly begin to throw connection-attempts at it ... sometimes, thousands per second. Even if you have done the right thing and shielded these gateways with "certificates, instead of passwords," you are still obliged to waste enormous amounts of time throwing-off the dogs who have found you.
If you, instead, use "a Dwarvish Door" as your first line of defense ... "they can't find you."
After an authorized user, who is in possession of both of these necessary ("one-of-a-kind, and non-revoked ...") keys, gains access to your OpenVPN, then you (of course) will have still more obstacles to throw at him – a ssh portcullis that can only be passed by possession of yet-another digital certificate (and, perhaps, an associated passphrase ...), and so on. But by this point you have curried-out 99.999% of the "utter nuisances" against which you would otherwise have to endlessly defend.