Adding just this to NetworkManager environment seems to be a sufficient workaround:
$ cat /etc/systemd/system/NetworkManager.service.d/openvpn-workaround.conf
[Service]
Environment="NM_OPENVPN_CHROOT="
At least the connection survives SIGUSR1 to openvpn process.
I presume the correct solution would be to have
/usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper inside chroot?
