Double device rec for a static site & a remote roamer

Intro

This Q focuses on hardware recommendations, though about 10-20% of it involves the actual software implementation required. Given the intertwined nature of hardware and software in this scenario, it’s challenging to separate them. I appreciate your insights.

Scenario

Here’s a slightly abstract scenario: I have a 3 Gig fiber connection at home. I also have a highly-mobile client who needs access to some private resources via VPN, but is only able to do so when connected through home’s IP address. The goal is to link the client to home seamlessly, with absolutely minimal possible overhead, enabling the client to connect to the VPN from their laptop as if they were physically at home.

My initial thought: use two OpenWRT-compatible routers. One powerful router at home and a portable, USB-stick-sized router for the client. The client router should be able to connect to any nearby Wi-Fi network and establish a minimal overhead tunnel, so the client’s machine uses home’s public IP.

Potential Solutions

Given the above requirements, typical solutions like OpenVPN, Wireguard, or IPsec are not suitable due to the overheads, however minimal. Since the client’s device will already be using a VPN, reducing overhead is crucial. My proposed approach:

1. Use two routers that support GRE or IP-in-IP tunnels, with a preference for IP-in-IP since GRE is more frequently blocked by firewalls. This would be the optimal scenario, but NAT can be problematic, even with IP-in-IP, making it unreliable on some public networks.

2. If the above doesn’t work, fall back to a simple, NAT-friendly protocol, such as a UDP (or, as a last resort, TCP) tunnel using tools like vtun, udp2raw, or udptunnel.

3. Another option is to use plain L2TP (without IPsec) via something like xl2tpd.

Questions

Which routers would you recommend that meet these criteria? The budget is $1,000 for both the home and portable client routers, with a maximum of $2,000 if it’s truly justified. I need support for IP-in-IP and generic UDP/L2TP (without IPsec), ideally in kernel mode. Hardware offloading/acceleration for any of these protocols would be a big bonus, though I’m unsure if that’s available.

I should note that the hardware should be able to max out the 3G fiber and handle and ideally handle home clients over WiFi as well (if this is not possible, I can find a separate router). Thank you.

Filogic fits the bill. Or PC server if many users will be connecting.
https://openwrt.org/toh/views/toh_available_16128_ax-wifi
Whats the practicality of usb stick when home PC has full fledged CPU with all possible VPN clients available?

Thank you for the rec. What you suggested looks like a great option for the portable use, especially the battery-powered . Sorry if I wasn't clear, my client is a mobile laptop who moves around and whose laptop should connect to the GRE/IPIP/whatever UDP tunnel transparently, as if it were literally at my home. Then, in userspace of their own laptop, run the VPN. Hence the desire for an external portable router they can take on the go wherever.

Now for the actual home router, I'd like something that'd max out the 3GB fiber if need be on 5ghz across multiple home users. With an eye toward a 6GB fiber upgrade. Perhaps ASUS TUF-AX6000 or GL-MT6000? Will keep looking.

Why do you need extra GRE encapsulation? Just dial wireguard or openvpn into your LAN, you can use ddns for locating server aka home router.

Explained extensively in the OP. The scenario demands for minimal possible overhead (the roaming client might be far, thousands of miles away) that can still traverse NAT, hence IPIP (for the rare cases when that passes NAT) or UDP tunnel.

The client would always be connecting over VPN through this tunnel anyway, so I don't need to double-encrypt (and want to keep the additional packet/encryption overhead to the minimum).

Wireguard is udp tunnel, put server on 53/443/123 for better nat traversal.