OpenVPN 2.7.0 keeps restarting in unprivileged systemd-nspawn container

[llnuxuser]

When starting 2.7.0 in a systemd-nspawn container and with DCO enabled in server mode, OpenVPN throws after 10 seconds the error

dco_get_peer: netlink reports error (-28): Operation not permitted

and then keeps restarting every minute. The same happens when a client tries to connect. A workaround is to set disable_dco in the configuration file. It was running fine with 2.6.19, where apparently DCO was disabled by default. This is arch linux with stock kernel 6.8.13 and systemd 259.2.

When running directly on the host, OpenVPN 2.7.0 runs just fine, with the addition that (unlike 2.6.19) the DCO version is acknowledged at the start:
OpenVPN 2.7.0 [git:makepkg/ee1577744fb09af7+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Feb 11 2026
library versions: OpenSSL 3.6.1 27 Jan 2026, LZO 2.10
DCO version: 6.18.13-arch1-1 OpenVPN/openvpn#1 SMP PREEMPT_DYNAMIC Wed, 25 Feb 2026 23:12:35 +0000

The logs when started in contained with DCO enabled/disabled or with the previous version are attached as files.

dco_on.txt

dco_off.txt

2.6.19.txt

[cron2]

This is interesting. The OpenVPN process has at least some of the capabilities it needs to open the DCO device via netlink and add IP addresses to it

2026-03-02 21:04:59 us=657586 net_iface_new: add tun0 type ovpn
2026-03-02 21:04:59 us=657603 sitnl_send: rtnl: generic error (-17): File exists
2026-03-02 21:04:59 us=657607 net_iface_new: add tun1 type ovpn
2026-03-02 21:04:59 us=657746 DCO device tun1 opened
2026-03-02 21:04:59 us=657752 ovpn-dco device [tun1] opened
2026-03-02 21:04:59 us=657755 do_ifconfig, ipv4=1, ipv6=0
2026-03-02 21:04:59 us=657759 net_iface_mtu_set: mtu 1450 for tun1
2026-03-02 21:04:59 us=657774 net_iface_up: set tun1 up
2026-03-02 21:04:59 us=657788 net_addr_v4_add: 10.6.1.1/24 dev tun1

... but then fails trying to get the list of current peers from the kernel - well, there are none, but that shouldn't lead to an EPERM

2026-03-02 21:04:59 us=657890 Initialization Sequence Completed
2026-03-02 21:05:09 us=668077 dco_get_peer: netlink reports error (-28): Operation not permitted
2026-03-02 21:05:09 us=668132 dco_get_peer: failed to send netlink message: Operation not permitted (-1)
2026-03-02 21:05:09 us=668145 Error retrieving DCO peer stats: the underlying DCO peermay have been deleted from the kernel without notifying userspace. Restart
ing the session

(side note: peermay whitespace bug...)

Now, I have no idea what a "systemd-nspawn" container might be, and what sort of different privilege is missing here - normally, CAP_NET_ADMIN should be fine, and that should be present, given that the ifconfig part works.

@ralflici, @ordex, any ideas?

[ordex]

@ralflici found out the root cause and it seems to be tied to the fact that "as of now" ovpn requires CAP_NET_ADMIN in the host and not just in the executing netns.

We're looking into how to make this work properly with the current netlink APIs.

[ordex]

I have moved this ticket to the appropriate repository, being this something that needs fixing in kernel.