Unprivileged containers can’t create device nodes, that’s a kernel enforced policy for those.
Instead what you should do is bind-mount that device node from the host.
Something like:
lxc.mount.entry = /dev/net/tun dev/net/tun none bind create=file
Should do the trick.