Why does openvpn (client) work out-of-the box in LXD, but not LXC?

For context: I have a server (Ubuntu 20.04) that isn’t normally reachable from the internet (and shouldn’t be). I wanted to use openvpn to basically get IPv4 and IPv6 connectivity through port forwarding from the VPN server, so I can run a bunch of services through VPN. But I want that for some isolated services only, not for the whole server.

I set up a privileged LXC and an LXD container and installed openvpn in each of them to test whether it’s working.
With LXD, it kinda worked out-of-the-box (lxc console is horribly broken when using ssh via putty, whereas with LXC lxc-attach works flawlessly).
With LXC, openvpn failed to create the tunneling device. After lots of headaches I got it finally working with all the fuzz including the magic numbers 10:200 device node.

What I would like to know is, given that it was a privileged LXC container, what is so fundamentally different about LXD that this can just work without any extra effort? Surely in LXD there’s more going on than “just LXC under the hood with a nicer user interface” (which I keep reading everywhere) if it’s possible for the container to create a device node at runtime, whereas that’s a major hassle in LXC?

On this point - maybe the solution is lxc shell command.

Yep, lxc shell works much better.