This may be a Wireguard rather than an OpenWrt question, but I am posting it because I've run into many Wireguard enthusiasts here, who recommended it even when the post was about SSH as a means of opening WAN access to an OpenWrt device.
I have learned that Wireguard provides no option to encrypt the private key.
Question: If my mobile phone or laptop is not device-encrypted, then would passphrase-protected SSH be a more secure option than Wireguard as against a thief that has lifted the device?
I seem to be assuming that when a passphrase-protected (SSH private) key is used, it is not "written" anywhere (except to RAM). Thus, so long as I have shut off the mobile or laptop, the passphrase would be nowhere (not in any storage media) to be found.
The Wireguard private key, on the other hand, would be there in the config file for anyone to see who can mount the storage medium.
Even if I considered "manually" decrypting and encrpyting the Wireguard config file around each use, I wouldn't know how to purge the disk of the decrypted copy. I seem to have read that there was in any event no reliable way to purge a modern SSD of any particular bit of information (except through disk-encryption).
If so, to repeat the question, if my traveling devices does not have device-encryption and my primary concern is theft, should I use passphrase-protected SSH rather than Wireguard as a means of opening WAN access to an OpenWrt device?
I'd recommend using both together. There's no reason to open the SSH port on a WAN facing interface, but just because you use Wireguard to allow 'LAN' access to the router when remote doesn't mean you can't also secure SSH with a passphrase-protected key as well.
At least is there a decent screen lock in your phone?
I am trying to understand if there is something really valuable in your phone that would justify an attempt to steal it or you expect that the average thief will go into your phone and look for the wireguard private key or bother to look for deleted files.
In any case you can slightly modify the private key when you don't use it. That should buy you enough time to revoke access until the thief understands why a seemingly correct key does not work.
The passphrase locked ssh key should also work as well to your needs.
Are you referring to a travel router or a computer/tablet/phone? On a travel router running OpenWrt, you're right that the files on the device are stored unencrypted and thus could be a liability if the travel router is stolen... so the question is:
How likely do you think it is that your travel device will get stolen (and as a corollary: stolen by someone who is interested in the access it can grant rather than the hardware itself, and would they even know that the device is a VPN endpoint as compared to just simply a convenience device to make your own travel LAN)? And, if it were to get stolen, how quickly could you invalidate that peer's key (on the other peer's config)?
Personally, I think that a good password on the device itself (and not auto-starting your VPN tunnel) is probably sufficient to keep casual thieves from accessing any of the data you care about, but obviously a determined attacker may persist.
If you do decide you'd rather go with an ssh tunnel, I wouldn't recommend using dropbear exposed to the internet -- this is a very lightweight and not-internet-hardened ssh environment. You'll want to use something more robust/hardened for internet exposure.