Package: openvpn
Version: 2.6.9-1+b1
Severity: normal
In order to make Data Channel Offload work, I had to add the following
override to the unit file in
/etc/systemd/system/openvpn@.service.d/override.conf:
[Service]
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
CAP_AUDIT_WRITE
(adding CAP_SETPCAP)
Without this, the following error message is shown when the VPN starts:
ovpn-server[398176]: --user specified but lacking CAP_SETPCAP. Cannot
retain CAP_NET_ADMIN. Disabling data channel offload
If this capability is too dangerous to be added in all installations, then
please reassign this bug to openvpn-dco-dkms so that this can at least be
documented in a README.Debian file there.
Francois
