--user user
Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process.
This option is useful to protect the system in the event that some hostile party was able to gain control
of an OpenVPN session. Though OpenVPNs security features make this unlikely, it is provided as a second
line of defense.
By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what
damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN
session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for
example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure
that OpenVPN doesnt need to execute any privileged operations in order to restart (such as re-reading key
files or running ifconfig on the TUN device).
--group group
Similar to the --user option, this option changes the group ID of the OpenVPN process to group after ini‐
tialization.