/etc/sudoers.d/tunnel_unpriv in an editor with root rights.
(Qubes-Whonix ™: In TemplateVM)
Comment in the following and remove the single hashes (#) in front of all lines, but do not remove the double hashes (##). The edited file should look like this.
tunnel ALL=(ALL) NOPASSWD: /bin/ip tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn * Defaults:tunnel !requiretty
Save and exit.