I was able to get this working with the great documentation. The PKI on PC instead of the device is a great tip.
I'd like to be able to achieve the same thing via LUCI. It seems like by following these instructions the only thing that becomes visible in the UI is the firewall rule allow WAN>device UDP/Port.
Is it possible that LUCI simply does not (yet) have matching configs? It seems like there isn't even a VPN/tun0 zone visible?
Hopefully this question makes sense!
luci has most parameters available... albeit in a very clunky / inefficient "one-by-one" workflow.
i am not aware of nor have i attempted the key generation within luci. although, as you mention, doing so "off-router" and copying the keys via scp is pretty trivial, if not advisable best practice.
having said this. the plathora of options and varying setups make it difficult to streamline this process to any degree ( config upload and translate seems the most practical )... so apart from an integrated keygen-UI or switching to a lengthy dd-wrt style config menu, not much more can / needs to be done.
so in short, generate keys off router and add server options one by one in the UI and report back... ( specifically if you find a parameter is not available in the UI )...
in my logbook I had written the following comment: "do not use luci-app-openvpn: some options, namely push dns, are not available"