If you've ever used OpenVPN, you've used TLS client authentication. That seems like a pretty huge hole to purposely put in your feature set. I understand not implementing it yet because it's more work, but I don't get drawing a line in the sand.