/etc/sudoers.d/tunnel_unpriv in an editor with root rights.
(Qubes-Whonix ™: In TemplateVM)
Comment in the following and remove the single hashes (#) in front of all lines, but do not remove the double hashes (##). The edited file should look like this.
Use of wildcard / asterix
* is non-ideal security wise. 
tunnel ALL=(ALL) NOPASSWD: /bin/ip tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn * Defaults:tunnel !requiretty
Save and exit.