DCO does not work with Ubuntu SystemD unit, if user is set

[bjoernv]

Describe the bug
If DCO is setup correctly, openvpn uses DCO, if it is started manually. See logs:
DCO device tun0 opened

But if openvpn started with the systemd unit openvpn@.service and a user is set, DCO is disabled. See logs:
TUN/TAP device tun1 opened

Version information (please complete the following information):

• OS: Ubuntu 22.04
• OpenVPN version: 2.6.8
• OpenVPN from https://build.openvpn.net/debian/openvpn/release/2.6 repository

This is caused by a missing capability in the systemd unit file /etc/systemd/system/openvpn@.service.

[Service]
...
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

The missing capability is CAP_SETPCAP.

The work-around is to create /etc/systemd/system/openvpn@.service.d/override.conf with this content:

[Service]
CapabilityBoundingSet=CAP_SETPCAP CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

From the configuration file:

user openvpn
group openvpn

See openvpn-2.6.8/src/openvpn/dco.c:

        if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP))
        {
            msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
                "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
            return false;
        }
        if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN))
        {
            msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
                "Disabling data channel offload");
            return false;
        }

[ordex]

@dsommers you have more experience on this part. Do you agree with the proposed solution?