...

I do not oppose using whatever upstream is deploying, if it's rationale. I just think that we could create a system user for openvpn, even if most users will deploy it using root.

We need root privileges at initialization phase, no? Privileges are dropped to nobody/nobody when initialization sequence completed.

If we can make things work with non-root system user... Let me know how to do that. :D

You can have systemd-networkd create the tun (or tap) interface and change its ownership to a specific user, that way openvpn doesn't need privileges for that. That's my setup with a bridged tap interface https://gist.github.com/gdamjan/6b988389afe36e4bb769 for tap interfaces, networkd can also do the ip setup, for tun interfaces, openvpn would need to use ... sudo? -- damjan