No, our target server did not use tls-auth because it would only have added complexity and no valuable information. The threat model for tls-auth is pretty straightforward.
You're correct in your second paragraph. I'll quote James Yonan and myself from last Monday:
Using the tls-auth option should protect against this vulnerability (assuming that your tls-auth key is not known to the attacker).
tls-auth is irrelevant if the attacker knows the key, which is the case for consumer VPN services like ours.
Thank you very much for your reply! Of course it is irrelevant if the attacker knows the key, but that naturally depends on the threat model under consideration and your OP wasn’t too clear on that, hence my question :)
You're correct in your second paragraph. I'll quote James Yonan and myself from last Monday:
Using the tls-auth option should protect against this vulnerability (assuming that your tls-auth key is not known to the attacker).
tls-auth is irrelevant if the attacker knows the key, which is the case for consumer VPN services like ours.