NET_ADMIN capability not enough?

Recently, I gave a Workload the NET_ADMIN capability which should allow it to connect as an OpenVPN client to a corresponding server. The capability gives all rights needed to establish the connection, i.e. modify routing table, managing interfaces.
However, the connection could not be established until I gave the Workload full privilege level.

I am not sure, if Rancher propagates changes incompletely or if this is a Docker bug.
Does anyone recognize this issue?


mkdir -p /dev/net
mknod /dev/net/tun c 10 200