... of course, cap_sys_admin is (last I checked) quite powerful, so maybe that renders CapabilityBoundingSet moot; but without it, openvpn won't work.
This is because /bin/ip can have cap_sys_admin set on it, and the
capability bounding set in the unit doesn't allow that. The simple fix
is to add cap_sys_admin to the CapabilityBoundingSet in the systemd
service file.
