The below reply got stuck somewhere, I thought it had already been sent
to the mailing list...
On Wed, 2016-02-10 at 19:30 -0500, Andrew Bibb wrote:
Lastly I decided to play around with the CapabiliyBoundingSet a bit
based on your suggestion. Adding CAP_DAC_READ_SEARCH to the "as
shipped" list will allow OpenVPN to connect. I never even knew these
existed until this evening, and I only picked that one based on
reading the manpage, so the probability of it being the proper one is
likely not great. Using CAP_DAC_OVERRIDE also works, but that
bypasses write permissions and seems to be overkill.
man paget says about CAP_DAC_READ_SEARCH that it:
* Bypass file read permission checks and directory read and execute
* Invoke open_by_handle_at(2).
Could it be that openvpn does not have read permissions to the config
file and/or path written to by ConnMan?