I want to be able to log into my home network from my laptop (say, in a coffee shop) and administer my OpenWrt router and the other devices/servers on that local network. I have a couple questions:
Do I install a VPN Server or a VPN client on my OpenWrt router? I believe I install a client on my laptop, and a server on my OpenWrt router, but I'm just guessin'... (It's surprising, but none of the half-dozen documentation pages describe which is which...)
What is the current state of OpenWrt packages: Which ones are well-maintained? Which ones are reliable? Which ones have clients that run on a wide variety of desktop/laptop/tablet/phone OS's
Are there reasons to choose one over the other?
Many thanks.
Update: It seems as if Wireguard is a secure choice, simple enough to configure for ordinary situations. There are plenty of solutions for more complicated situations, which you're free to ask about.
E.g., if you want to run OpenVPN-server, and client on the same device, no problem, with only limitation, that server should use TCP protocol. But Wireguard uses UDP only. I've seen examples in PBR configuration, but I don't understand, how they work. So if you need simplest and fastest solution without extra demands, you can use Wireguard. If you have specific requirements like above, use OpenVPN.
Just because you don't understand how it works doesn't mean it doesn't. It's simple to run a wireguard interface with multiple different peers for different needs. More complicated setups are easily catered for through manual routing or packages like PBR.
The only reason to use OpenVPN is that you use an external provider which requires its use, or you have need for layer 2 functionality which is rare.
I repeat once more, I don't understand, how PBR can treat UDP. I've implemented my requirements with the aid of OpenVPN absolutely directly without any trouble.
Wireguard is reliable, very fast and simple solution. Its a main point for low resource devices.Much more reliable and simpler than OpenVPN.
UDP is a main point why its more secure and fast. It cant be detected because wont answer packets from unknown peer. Basically undetectable by design for port scanning.
You add the required routing rules to the relevant routing tables, either manually or with something like PBR. Then the packets get routed where they need to go...