The LXC design really leans towards unprivileged containers, which is the “normal” and recommended way. You get process isolation via different user/groups to those of the host machine, without any loss of performance. A few tweaks might be needed to mount volumes to make sure permissions don’t get in the way.
Try and stick with unprivileged container if you can.
I’m running one of my yunohosts in an LXC container (on a rpi4 ^^).
OpenVPN: not using it, can’t say. I’m using Tailscale on the host to administrate it, and I have already run tailscale in some lxc containers to access them and it works great
Everything else is working for me, as I’m not using a VPN but redirecting ports from my router I had to add some proxy devices, but really nothing fancy. I also have set it up so that it can only take part of the available CPU and RAM, so that I can always ssh in the host to fix issues
None not working apps that I know of
Nextcloud is running fine, I haven’t tried OnlyOffice
As for the privileged/unprivileged container, I guess it depends on what you want to do with it. Mine is running fine in an unprivileged container, the containers I access using tailscale are also unprivileged, the only time I needed to use a privileged container is when I want to run docker in them.
This instances are running beside an apache proxy, sometimes you have to tweak the headers setting (I’m not an expoert, beware of security consequences) and create firewall rules so as so send specifi port directly to the container (for visio for example)