>> I do not oppose using whatever upstream is deploying, if it's >> rationale. I just think that we could create a system user for >> openvpn, even if most users will deploy it using root. > > We need root privileges at initialization phase, no? Privileges are dropped > to nobody/nobody when initialization sequence completed. > > If we can make things work with non-root system user... Let me know how to do > that. :D You can have systemd-networkd create the tun (or tap) interface and change its ownership to a specific user, that way openvpn doesn't need privileges for that. That's my setup with a bridged tap interface https://gist.github.com/gdamjan/6b988389afe36e4bb769 for tap interfaces, networkd can also do the ip setup, for tun interfaces, openvpn would need to use ... sudo? -- damjan
