OpenVPN service won't start "Error 1" / Mobile Clients can't connect
If your clients can't connect, the OpenVPN service may not be running. If that's the case you may also see the error "TLS Warning: no data channel send key available" in the OpenVPN log.
Searching for this issue resulted in nothing so I had to figure it out on my own. This post is for anyone searching for the same issue - perhaps it'll help you. (I found other people with the same problem but no one had a resolution).
The scenario I'm covering is the one I found as the cause of the other (now closed yet unresolved) posts - as well as the cause of my problem.
BTW in my opinion this particular scenario is a bug in PFSense. There should be checks before saving a live config file that breaks the system.
The OpenVPN service will not start due to an error in the configuration file that is generated by PFSense.
Only thing in the default OpenVPN log is the above-mentioned TLS data channel error. Nothing to indicate OpenVPN Mobile service is down since people are able to get an initial connection for TLS negotiation.
Cause is forgetting to put a semicolon (;) after each entry (except the last one) in the "Custom Options" box under OpenVPN Server configuration. Yes, the line below the box says to separate by semicolon however if you miss that, it'll happily save without checking.
PFSense happily saves a now invalid/corrupt OpenVPN config file which then causes OpenVPN to not start. With no error.
Check if OpenVPN is running: On the PFSense dashboard, add the "Services Status" widget. OpenVPN Mobile will be on that list. Red X means not running. Click the "Play" button (arrow) next to it to try starting it. If it doesn't start, you need to find out why. You'll need to look at Status->System Logs, then the System tab and search for openvpn. For me I found this:
Jun 30 14:08:25 php-fpm 338 OpenVPN failed to start Jun 30 14:08:25 php-fpm 338 /status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1/config.ovpn'' returned exit code '1', the output was ''
When the PFSense web UI calls the shell command to start OpenVPN, OpenVPN fails to start due to what it reports as error code 1. Error Code 1 is supposed to be a universal error code for "access denied" however in this case, there is a problem with the OpenVPN config file.
Setting the OpenVPN Server log verbosity to 11, I tried starting the OpenVPN service and saw this:
Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server1/config.ovpn:43: push (2.5.1)
I SSH'd into the PFSense box and looked at that file. The line causing OpenVPN to not start was: (IP's changed for this post):
push "route 126.96.36.199 255.255.255.0"push "route 188.8.131.52 255.255.255.0"
Note how they're jammed together on one line - that's how PFSense saved it - and why you need to put a semicolon after each line except the last one.
If parsing a free-text options box is impractical, perhaps PFSense should be calling a config check on a proposed changed file first before saving the live file - and reporting back to the user what the OpenVPN service complained about.