OpenVPN in LXC: Failed to set devices.allow

I have been trying to get OpenVPN working in a LXD-managed LXC container on Ubuntu 16.04. I have added the tun device to the container config via lxc config edit container and it is properly created. I have run

lxc config set mycontainer raw.lxc 'lxc.cgroup.devices.allow = c 10:200 rwm'

and it shows up in the container config, but I when I run

systemctl start [email protected]

I get this in my error log:

Jul 13 09:52:56 lb systemd[1]: Failed to reset devices.list on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Starting OpenVPN connection to server...
-- Subject: Unit [email protected] has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit [email protected] has begun starting up.
Jul 13 09:52:56 lb systemd[1]: Failed to reset devices.list on /system.slice/ondemand.service: Operation not permitted

Here is my container config:

$ lxc config show --expanded lb
name: lb
profiles:
- default
config:
  raw.lxc: lxc.cgroup.devices.allow = c 10:200 rwm
  volatile.base_image: f452cda3bccb2903e56d53e402b9d35334b4276783d098a879be5d74b04e62e2
  volatile.eth0.hwaddr: xx:xx:xx:xx:xx:xx
  volatile.eth1.name: eth1
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":231072,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":65536}]'
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  eth1:
    hwaddr: xx:xx:xx:xx:xx:xx
    nictype: bridged
    parent: lxdbr1
    type: nic
  root:
    path: /
    type: disk
  tun:
    path: /dev/net/tun
    type: unix-char
ephemeral: false

And the files in /dev/net:

$ ll /dev/net
total 0
drwxr-xr-x 2 root root      60 Jul 13 09:36 ./
drwxr-xr-x 9 root root     480 Jul 13 09:36 ../
crw-rw-rw- 1 root root 10, 200 Jul 13 09:36 tun

OttoEisen - Your fix didn't make any change, but led me through a Google seach to askubuntu.com/q/747023/124222 and the answer there solved my question! So, you got me there in the end... Thanks!

I guess I should probably delete this question since it has already been answered there... Or should I leave it up to make it easier to find on search?

There is a way to mark questions as duplicate. Then you get a notification at the top with a link to the already answered question, but I'm not sure how that works. Maybe "Flag" but that sounds so serious... Also: Thanks for the accept.