Hello Jörg, thanks for the reply.
It was not. Rebooting fixes the issue, as does manually kill(1)ing the
errant openvpn instances and restarting the systemd unit(s).
Sorry, "Upgrades break systemd supervision" was perhaps not the best
summary. It's more like "Upgrades restart openvpn outside of
systemd".
This worked for me on a fresh amd64 buster VM:
echo "deb http://snapshot.debian.org/archive/debian/20210601T022916Z/ buster main" >/etc/apt/sources.list.d/snapshot.list
apt update
apt install openvpn=2.4.7-1 ssl-cert
# placeholder config
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >/etc/openvpn/server.conf
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/openvpn/server.crt
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/openvpn/ca.crt
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/openvpn/server.key
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
openvpn --genkey --secret /etc/openvpn/ta.key
systemctl start openvpn@server
apt install unattended-upgrades
systemctl start apt-daily-upgrade
systemctl status
# Observe: openvpn process is now in apt-daily-upgrade.service
systemctl start apt-daily-upgrade # (a second time)
# systemd now warns about the lingering process
Alternatively, replace 'apt install unattended-upgrades' and everything
thereafter with:
apt upgrade
systemctl status
Which should show the openvpn daemon lingering in whatever scope unit
contains your shell.
Or, simpler still:
invoke-rc.d openvpn cond-restart
which is invoked by openvpn's postinst and has much the same effect.
Attached are extracts of of `journalctl --output=with-unit` and
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log after having
done the above. HTH!
Thanks,