ProtonVPN config: UDPv4: Operation not permitted (code=1)

[vulnguard]

I'm running the container via portainer with the following docker compose:
"""
volumes:
openvpn_data:
driver: local

default:
driver: bridge
ipam:
driver: default
config:
- subnet: 192.168.128.0/24

openvpn:
image: yacht7/openvpn-client
container_name: openvpn
cap_add:
- NET_ADMIN
environment:
- KILL_SWITCH=on
- SUBNETS=192.168.0.0/24,192.168.1.0/24
- VPN_LOG_LEVEL=7
devices:
- /dev/net/tun
volumes:
- openvpn_data:/data/vpn
ports:
# .. Various ports omitted for various containers' traffic
restart: unless-stopped
networks:
default:
ipv4_address: 192.168.128.2
"""

This has worked fine for a long time, but I've recently switched from MullvadVPN to Proton VPN, and with their config I get the following issue:

"""
Sun Feb 12 07:05:21 2023 us=828916 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1633,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'

Sun Feb 12 07:05:21 2023 us=828922 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1633,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'

Sun Feb 12 07:05:21 2023 us=828935 TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.6.178:4569

Sun Feb 12 07:05:21 2023 us=828957 Socket Buffers: R=[212992->212992] S=[212992->212992]

Sun Feb 12 07:05:21 2023 us=828963 UDPv4 link local: (not bound)

Sun Feb 12 07:05:21 2023 us=828969 UDPv4 link remote: [AF_INET]138.199.6.178:4569

Sun Feb 12 07:05:21 2023 us=828995 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0

Sun Feb 12 07:05:21 2023 us=82902
ch.protonvpn.net.udp.conf.txt
9 write UDPv4: Operation not permitted (code=1)

Sun Feb 12 07:05:24 2023 us=3471 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0

Sun Feb 12 07:05:24 2023 us=3511 write UDPv4: Operation not permitted (code=1)

Sun Feb 12 07:05:28 2023 us=352069 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0

Sun Feb 12 07:05:28 2023 us=352109 write UDPv4: Operation not permitted (code=1)

Sun Feb 12 07:05:36 2023 us=815732 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
"""

Config attached. (I renamed it to .conf.txt to upload here)

[vulnguard]

Note that manually running openvpn with this config on my host system works fine, it just fails in the container.

I don't see my attached config, so here it is (Sorry for weird formatting on github):
"""
... MIT License removed for brevity

client
dev tun
proto udp

remote 185.159.157.129 5060
remote 138.199.6.177 4569
remote 138.199.6.179 5060
remote 185.159.157.128 5060
remote 138.199.6.177 1194
remote 138.199.6.179 80
remote 138.199.6.181 80
remote 185.159.157.129 1194
remote 185.159.157.23 80
remote 138.199.6.181 80
remote 138.199.6.181 5060
remote 138.199.6.178 4569
remote 138.199.6.181 5060
remote 138.199.6.181 5060
remote 185.159.157.128 80
remote 185.159.157.23 51820
remote 138.199.6.181 1194
remote 138.199.6.181 1194
remote 185.159.157.128 51820
remote 138.199.6.179 1194
remote 138.199.6.179 51820
remote 138.199.6.178 51820
remote 138.199.6.181 51820
remote 138.199.6.181 51820
remote 138.199.6.181 1194
remote 138.199.6.181 51820
remote 138.199.6.178 80
remote 138.199.6.178 5060
remote 138.199.6.179 80
remote 138.199.6.177 4569
remote 138.199.6.177 80
remote 138.199.6.179 5060
remote 185.159.157.129 4569
remote 138.199.6.177 1194
remote 185.159.157.23 4569
remote 138.199.6.179 4569
remote 138.199.6.177 51820
remote 138.199.6.181 4569
remote 138.199.6.181 4569
remote 138.199.6.177 51820
remote 185.159.157.128 1194
remote 138.199.6.181 5060
remote 138.199.6.179 51820
remote 185.159.157.129 80
remote 138.199.6.181 4569
remote 138.199.6.177 5060
remote 138.199.6.181 80
remote 138.199.6.178 1194
remote 138.199.6.181 4569
remote 185.159.157.129 51820
remote 138.199.6.181 80
remote 185.159.157.128 4569
remote 185.159.157.23 5060
remote 185.159.157.23 1194
remote 138.199.6.179 1194
remote 138.199.6.181 51820
remote 138.199.6.177 5060
remote 138.199.6.177 80
remote 138.199.6.179 4569
remote 138.199.6.181 1194
server-poll-timeout 20

remote-random
resolv-retry infinite
nobind

The following setting is only needed for old OpenVPN clients compatibility. New clients

automatically negotiate the optimal cipher.

cipher AES-256-CBC

auth SHA512
verb 3

setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass proton-vpn-userpass.txt
pull
fast-io

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

-----BEGIN CERTIFICATE----- ... Cert removed for brevity -----END CERTIFICATE-----

key-direction 1

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
... Key removed for brevity
-----END OpenVPN Static key V1-----

"""