feat(profile): openvpn need to load module.

See #811

apparmor.d/groups/network/openvpn

@@ -27,17 +27,12 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  # Needed to remove the following errors:
-  #  ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
-  #  Exiting due to fatal error
-  capability net_admin,
-
-  # These are needed when user/group are set in a OpenVPN config file
-  capability setuid,
-  capability setgid,
-
-  capability dac_read_search,
   capability dac_override,
+  capability dac_read_search,
+  capability net_admin, # create tun
+  capability setgid, # when user/group are set in a OpenVPN config file
+  capability setuid,
+  capability sys_module,
 
   network inet dgram,
   network inet6 dgram,