GRE tunnel, layer 2 ("gretap") is perhaps the lightest weight from both CPU and bits -- but be careful with MTU as with any L2 tunnel that isn't actively fragmented by the endpoints. This is sort of a problem in general, as it is the encapsulated packets that get fragmented, so that the fragmentation-required messages go to the tunnel endpoint, not the sender of the encapsulated packet, as I remember the conundrum.
One article on various flavors of tunnels under OpenWrt that I found helpful was
https://justus.berlin/2016/02/performance-of-tunneling-methods-in-openwrt/
Edit: Here's some earlier notes of mine on the MTU problem