You got me confused now I had to check my .conf file; but I think tls-auth /etc/openvpn/ta.key 1 stands for the dynamic one. So the preshared ta.key file is needed probably for this very reason:
In fact, I'm not really sure what the static key mode is. Is it the non-PKI one?
Now I'm not sure how exacly they implemented this; if hash is encryped seperate from data or together. But I know if an attacker changes a single bit in the packet the hash will fail.
The whole idea is that the server has to be able to be extract the hash from the packet in order to filter out dodgy UDP packets to save the cypher and the TCP/IP stack from further processing. Sort of not letting your 'pipe' get 'clogged'. Thankfully, this is just the first line of defence. That being said as long as the hash can be extracted from the packet it would be possible to encrypt them together, but I'll try to read up on this later.
PS: MD5 is not recomended due to vulnerabilities and some other problems.