This PR adds CAP_NET_ADMIN capability to openvpn daemon instead of passwordless access to sudo for tunnel user. It allows for creating, destroying and managing tun devices, setting routing tables, etc. This capability exist only inside running service. Otherwise openvpn binary and tunnel user are totally unprivileged.
This PR adds CAP_NET_ADMIN capability to openvpn daemon instead of passwordless access to sudo for tunnel user. It allows for creating, destroying and managing tun devices, setting routing tables, etc. This capability exist only inside running service. Otherwise openvpn binary and tunnel user are totally unprivileged.