Hi,
I actually just worked out what the problem was and was a ridiculous reason, spent ages messing about on something I can't understand why it couldn't handle since older versions can.
Was as simple as changing to capital letters, the connect settings can be exactly the same as I listed above except must be:
cipher AES-128-CBC
auth SHA1
instead of
cipher aes-128-cbc
auth sha1
Absolutely crazy, unfortunately the (admitedly rather optimistic looking) 12mbps speeds mentioned here for AES-128-CBC on a V8 do look to be wildly out vs real world (on my V11 which has higher clock speed and same manufacturer for soc, usually get faster the newer they get!), struggling to get much past 4mbps to 6mbps range and usually hovering around the low end of that range. I'll retry at different time of day but usually get very close to my internet max speed with this VPN location/config on faster hardware... Only really need 7-8mbps so hoped would handle that OK but not looking great so far. That said my GL.iNet GL-AR300M uses a 650mhz Qualcomm Atheros QCA9531 and can easily achieve 8-10mbps and this TL-WR841N rev11 uses a 650mhz Qualcomm Atheros QCA9533 - they should be able to manage very similar speeds. Maybe I need to try out some older builds and see which gives closer to what it should be able to handle.
Edit: maybe more of an issue with the 3 different speed test sites I tried (and 5 different servers between them), just tried a file download and is peaking at just over 1MB/s so not bad. Needs testing with a proper workload when it's not nearly 2AM, time for bed.
This is also where they handily suggested using caps:
Hopefully this saves someone else a few hours of going round in circles because it stupidly doesn't like lower case letters all of a sudden...