Comment 9 for bug 1511524

Andreas Ntaflos (daff) wrote :

This is still a problem in Ubuntu 18.04.

Note: systemd unit files provided by packages should not be modified by the user after installation, instead systemd's drop-in feature should be used.

The proper workaround for this bug is to create the file /etc/systemd/system/openvpn@.service.d/10-pam-capability-fix.conf with the following contents (notice the added CAP_AUDIT_WRITE keyword):

[Service]
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

Afterwards issue "systemctl daemon-reload" to make systemd aware of the drop-in and then restart the OpenVPN service.