[Unit]
Description=OpenVPN tunnel for %I namespace
BindsTo=netns@%i.service
After=network-online.target netns@%i.service
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
Environment="NETNS_NAME=%i"
ExecStart=/usr/sbin/openvpn --ifconfig-noexec --route-noexec --up "/usr/local/bin/netns-openvpn-script %i" --route-up "/usr/local/bin/netns-openvpn-script %i" --down "/usr/local/bin/netns-openvpn-script %i" --script-security 3 --suppress-timestamps --nobind --config %i.conf
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
#LimitNPROC=10
#DeviceAllow=/dev/null rw
#DeviceAllow=/dev/net/tun rw
#ProtectSystem=true
#ProtectHome=true
KillMode=process

[Install]
WantedBy=multi-user.target