Comment # 6 on bug 1142830 from Reinhard Max

(In reply to Jon Brightwell from comment #5)

> openvpn changes itself to nobody after initialisation. I'm wondering if a
> reload tries to open those files after it has switched to nobody.

Switching to nobody happens at startup after reading these files. This step
cannot be reversed, so reload has no other chance than trying to read those
files as nobody (or whatever user openvpn was told to switch to).

This is also documented with the --persist-key option in the openvpn manual.

I see two possible ways for you to get around this:

1. Configure openvpn to switch to a user different from nobody and make the
config and key files readable for that user. This of course comes with a
certain security risk, because an attacker that hijacks the openvpn process
might be able to read these files.

2. Use restart instead of reload when you have changed the config file.