Comment 2 for bug 1631104

Hi,
thank you to for your report and your help to make Ubuntu better.

I was quickly trying to set up a vpn in a container but failed.
I'd need to create a better matching two KVM multi network config to try to reproduce.

But even then I wanted to ask if this is a specific issue with the Nyr installer?
Or if you would run into the same if you would follow e.g. the basic setup guide at https://help.ubuntu.com/16.04/serverguide/openvpn.html ?

The config option you listed limitNPROC is meant to change the amount of allowed processes like "ulimit -u" would. Is the Nyr openvpn installer configuring it in a way that spawns many processes?

Eventually the reason it fails only in some environments could be that it only triggers once enough clients logged in reaching the limit.

I have given this limit some thought and checked where it comes from.
It is from upstream itself, neither Debian nor Ubuntu added it.
It is in since https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792907 which means >=xenial.
The upstream commit says "This unit file also tries to reduce the capabilities of the running openvpn process.".

So I'd expect that this is a limit to protect from being exploited and if any given setup needs more the admin has to adapt that.

That said if any this sounds like an upstream bug to me. If this can be confirmed as an upstream bug, the best route to getting it fixed in Ubuntu in this case would be to file an upstream bug if you're able to do that. Otherwise, I'm not sure what we can do directly in Ubuntu to fix the problem.

If you do end up filing an upstream bug, please link to it from here. Thanks!