VPN in container requires tun/tap device – if you don’t have one you have to create it with mknod command. But, there is the problem – in the LXC (Proxmox) unprivileged container is mknod (as syscall) not allowed, because this would introduce possible security problems (see this article).
Luckily LXC natively provides a way to create required devices using lxc.mount.entry, added in LXC container config file (or in proxmox <VMID>.conf):
To provide tun device:
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file
Additionaly, to provide fuse device use:
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file
To provide ppp device use (unfortunately ppp currently requires CAP_NET_ADMIN to work):
lxc.mount.entry = /dev/ppp dev/ppp none bind,create=file