OpenVPN 2.5 uses rtnetlink instead of iproute2 which has resulted in openvpn being unable to delete IP addresses or otherwise modify the interface after root privileges are dropped.
Resetting an OpenVPN client interface (to NordVPN), I get the following errors:
openvpn-vtun0: Closing TUN/TAP interface openvpn-vtun0: net_addr_v4_del: 10.8.1.7 dev vtun0 openvpn-vtun0: sitnl_send: rtnl: generic error (-1): Operation not permitted openvpn-vtun0: Linux can't del IP from iface vtun0 openvpn-vtun0: TUN/TAP device vtun0 opened openvpn-vtun0: net_iface_mtu_set: mtu 1500 for vtun0 openvpn-vtun0: sitnl_send: rtnl: generic error (-1): Operation not permitted openvpn-vtun0: Linux can't set mtu (1500) on vtun0 systemd: email@example.com: Main process exited, code=exited, status=1/FAILURE openvpn-vtun0: Exiting due to fatal error systemd: firstname.lastname@example.org: Failed with result 'exit-code'. systemd: email@example.com: Scheduled restart job, restart counter is at 2. systemd: Stopped OpenVPN connection to vtun0.
Multiple restarts end up with vtun0 gaining multiple addresses. which breaks routing via that interface.
However, with OpenVPN 2.5 and rtnetlink, it should now be possible to run openvpn as non-root from start to finish, using systemd capabilities. I tried the following (based on the archlinux solution):
Remove user & group directives from /run/vtun0.conf and add the following to /etc/systemd/system/openvpn@.service.d/override.conf
User=openvpn Group=openvpn AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
Ensure that the runtime directory and existing files were writable by openvpn user:
chmod -R openvpn:openvpn /run/openvpn
After executing systemctl daemon-reload and reset openvpn interface vtun0 everything appears to be working nicely, with the openvpn client running without root from start to finish.