Package: openvpn Version: 2.3.7-1 Severity: important With the update from 2.3.4-5 to 2.3.7-1 (testing), my vpn configurations using the auth pam plugin broke.
After much digging, I finally isolated this to the addition of the CapabilityBoundingSet entry in the systemd service definition. If I comment that out, everything works again. I've marked this as important because I suspect the auth pam plugin sees wide usage, and because the nature of the way that module writes its debug data and how systemd runs openvpn means that no matter how high you turn the verbosity in openvpn, you won't actually receive any of the diagnostic data from the plugin to help figure out what the problem is, and if you run openvpn on the console, the capabilities limitation isn't applied and the problem won't appear to debug. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.57 ii init-system-helpers 1.23 ii initscripts 2.88dsf-59.2 ii iproute2 4.0.0-1 ii libc6 2.19-19 ii liblzo2-2 2.08-1.2 ii libpam0g 1.1.8-3.1 ii libpkcs11-helper1 1.11-4 ii libssl1.0.0 1.0.2d-1 ii libsystemd0 224-1 Versions of packages openvpn recommends: pn easy-rsa <none> Versions of packages openvpn suggests: ii openssl 1.0.2d-1 pn resolvconf <none> -- debconf information excluded