Wireguard helps "quite a bit", IPSec should help although the main issue is the SoC which is super slow. You'll be much better off with any kind of ARM device and a USB attached modem or ethernet bridge.
WireGuard might get you 20-25 Mbps on a 580-MHz, MIPS-based SoC.
Bottom line is that low-end SoCs don't have enough CPU power to handle the encryption at moderate rates, even with the newer encryption ciphers like ChaCha20.
If you're comfortable with the security provided by WireGuard, and many are, I would use that instead of OpenVPN.
Split routing is possible in many ways. Most modern VPNs "push" routes to the client. For WireGuard, the "allowed IPs" are confusing, but provide that functionality. For the client, the "allowed IPs" are the target IPs (destinations) that go over the tunnel. I found the following helpful in trying to wrap my head around WireGuard configuration
Can it be a option to only send traffic between the sites on the VPN and rest direct on internet?
So when I want o access thing on the other site the traffic goes throue the VPN and if not direct out...
Then the speed will not be reduced for traffic who not goes between the sites?
Yes, you either use the VPN configuration or manually configured static routes to route the subnets of interest, and the rest goes via default (or other) route.
Is these the way of doing it, how much can I go up?
How high can I go and what can I do if the router will not boot up, use memory reset button?
What about memory, can I increase the hz there also?
Perfect world will be if I can get 40mbit on the VPN....
It’s the crypto that drives the load. WireGuard uses one of the lowest computational cost ciphers generally available.
If you stick with MIPS, you’ll need a 775 MHz clock, based on the testing of GL.iNet, who I believe is honest about their results. Realize that if you run anything other essential router services (LuCI is not "essential") or other CPU tasks (such as handling an LTE modem), you won't get the "unloaded" performance on a single-core SoC.
The TP-Link MR200 just isn't powerful enough for more than basic routing. Moving to a multi-core, ARM-based device, or using "something else" for your VPN would be reasonable approaches. Perhaps a single-board computer, like a current Raspberry Pi (crypto speed unknown by me), might be a cost- and power-effective approach.
As you can see, the load of OpenVPN at even moderate rates exceeds what a MIPS-based router can handle.
To get 50-100 Mbps over OpenVPN, you're likely looking at an x86_64/AMD64 solution, with a separate all-in-one as an AP.
Based on that, I'd recommend an ipq40xx-based unit, or one of the faster SoC families, such as ipq80xx, mvebu, or x86_64/AMD64. I don't have experience with the mvebu wireless, but I find the wireless performance of the ipq4019-based EA8300 to be noticeably better than that of the ath79-based Archer C7v2 units I've replaced. Recently someone here posted that Amazon UK had EA6350 dirt cheap (£34).
Ignore the title, but this post has some good starting points: