The -k argument on my openssl accepts a passphrase, not a file. You likely encrypted with the filename as the secret, not it’s contents. Perhaps you should use -kfile instead.

$ openssl aes-256-cbc -help
Usage: aes-256-cbc [options]

General options:
 -help               Display this summary
 -list               List ciphers
 -ciphers            Alias for -list
 -e                  Encrypt
 -d                  Decrypt
 -p                  Print the iv/key
 -P                  Print the iv/key and exit
 -engine val         Use engine, possibly a hardware device

Input options:
 -in infile          Input file
** -k val              Passphrase**
 -kfile infile       Read passphrase from file

The amount of Windows bashing in this thread is hilarious, for what amounts to Enterprise grade DNS-over-TLS with additional whitelisting. Doesn’t help the home user, but likely won’t break home users internet access either.

As an aside, these are the client logs, check the /var/log/ auth.log or secure files or journalctl to see if the server logged why the access was denied.

Yes, but as I’ve found recently AES-NI is only as good as your software support for it. Had a team using an ancient version of winscp and they kept complaining about download speeds on our 10Gb circuit. Couldn’t replicate it on any other machine with the newest version of winscp so I installed their exact version. AES-NI support wasn’t added until like 2020 and it gave them 5x better download speed after upgrading.

Does cryptsetup/luks do that? I thought that was only software encryption.

You can, sure, but you probably shouldn’t. Encrypting and decrypting consume additional cpu time, and you won’t gain much in terms of security.

I have used gocryptfs (https://github.com/rfjakob/gocryptfs) in the past, it creates an overlay mount that encrypts each dir and file separately, so no need to precreate a container. There are some security downsides to this approach though so be aware of that. https://nuetzlich.net/gocryptfs/threat_model/