How can I authenticate with both Synology OpenVPN + Radius Plugin?

Question

I would like to have a double authentication: Certificate based authentication in OpenVPN as well as User/Password authentication via the Radius-Plugin provided on the server (Synology NAS DS2016play with DSM 6.2.3-25426). Client is a Raspberry PI 4 with OpenVPN installed

This works but every hour I get disconnected for 15-20min due to a Radius-Plugin failure. I thought this had to do with the hourly TLS re-handshake but I do not want to decrease security by disabling the function.

Instead the issue seems to be in the IP address that the plugin uses. It is the external address and the router there has only port 1194 for OpenVPN opened. Why is Radius not using the local IP address and how can I change this?

What are my options to avoid this downtime?

/var/log/messages:

    2020-06-08T09:56:52+02:00 NAS_D openvpn[8731]: vpn/xx.xxx.xxx.xxx:38874 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /var/packages/VPNCenter/target/lib/radiusplugin.so
    2020-06-08T09:56:52+02:00 NAS_D openvpn[8731]: vpn/xx.xxx.xxx.xxx:38874 TLS Auth Error: Auth Username/Password verification failed for peer
    2020-06-08T09:57:53+02:00 NAS_D openvpn[8731]: vpn/xx.xxx.xxx.xxx:38874 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xx.xxx.xxx.xxx:38874 [1]
    ...

/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user

dev tun
proto udp

management 127.0.0.1 1194

server 192.168.3.0 255.255.255.0

route 192.168.178.0 255.255.255.0

push "dhcp-option DNS 192.168.1.1"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"

max-clients 4

push "sndbuf 0"
push "rcvbuf 0"
sndbuf 0
rcvbuf 0

client-config-dir /usr/syno/etc/packages/VPNCenter/openvpn/ccd
client-to-client
topology subnet

#ifconfig-pool 192.168.3.10 192.168.3.100 255.255.255.0

dh /usr/syno/etc/packages/VPNCenter/custom_certs/dh4096.pem
ca /usr/syno/etc/packages/VPNCenter/custom_certs/CA.crt
cert /usr/syno/etc/packages/VPNCenter/custom_certs/Server.crt
key /usr/syno/etc/packages/VPNCenter/custom_certs/Server.key

comp-lzo no
fast-io

cipher AES-256-CBC
prng SHA512 64
auth SHA512
tls-version-min 1.2
tls-auth /usr/syno/etc/packages/VPNCenter/custom_certs/ta.key
key-direction 0
remote-cert-tls client

persist-tun
persist-key

verb 5
#verb 0

#log-append /var/log/openvpn.log

keepalive 10 60
#Comment out to re-negotiate TLS connection every hour
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
username-as-common-name

Client Config

remote xx.xxx.xxx.xxx 1194

nobind

float
topology subnet
connect-retry 60
ping-restart 90
mtu-test
auth-retry nointeract
verify-x509-name Server name

dev tun

proto udp

pull

tls-client

remote-cert-tls server

cipher AES-256-CBC

prng SHA512 64

auth SHA512

tls-version-min 1.2

fast-io

comp-lzo no

auth-user-pass /etc/openvpn/credentials

#auth-nocache

<tls-auth>
...
key-direction 1

<cert>
...

<key>
...

<ca>
...