Hi @larsen ,
no problem mine is currently broken too 
.
According to you problem, --tls-auth should work. In here Hardening OpenVPN Security | OpenVPN (in the IPFire wiki a little rudimentary of course too) you can read a little more about this kind of hardening.
Spoken about the downtime: I think you can manage this may easy. 1) After your office is closed, activate the âTLS Channel Protectionâ in the WUI and create all packages. 2) Deactivate the âTLS Channel Protectionâ again to be able to use the VPN connection as before. 3) Distribute the packages while working time, may also via VPN⌠4) Set a time limit until alll clients needs to use the new config with the new static key. 5) After the time limit has reached, activate the VPN but now with enabled âTLS Channel Protectionâ in the WUI .
As an idea.
Best,
Erik