A friend asked "how about setting up wireguard instead?" Sounds odd and crazy, but really?
Pros:
- encapsulates all protocols such that one doesn't have to struggle with each one
- allows for portability and tunneling: device can talk to its servers even if they're many routing hops away as long as the VPN can be routed
Cons:
- implementation requires wrestling with LwIP to introduce a new interface and add WG code, probably make the inside-VPN interface the default
- requires a routed network inside the VPN so there's more up-front set-up involved: need VPN server, set-up keys, set-up subnet, route subnet, perhaps run DHCP within subnet
- unless multiple WG servers are supported with some fail-over this reduces availability
I run one server as "IoT hub" with MQTT and stuff so I'd run a WG server either there or on my router (which already runs WG).
Overall, this sounds like an intriguing option which I haven't heard about before. I'm not seeing why it wouldn't be doable, assuming
mbedtls has the required cipher suites. Thoughts?