ive been testing diferent VPNs protocols on Routerboards based on QCA9533, i have a few RB941and RB931 around. Im not expecting to break any bandwidth records with these cpus that do not support hardware crypto. They connect to a RB750Gr3, and that one do support hardware crypto for L2TP/IPsec.
L2TP+IPsec, using SHA1 auth + AES-256-CBC encryption (altrought i should only consider sha256 for auth). It does gets respectable bandwidth for what those small routers are, and it is hardware accelerated on the RB750Gr3.

Then i tested with Wireguard and it is considerably faster, lets say i can transfer a file with the L2TP at about 2MB/s (altrought SMB transfer over VPN is really unstable for me for wharever reason), with Wireguard it can get to 3, 3.5 and sometimes even 4. And the overhead on the RB750 is small (compared to using L2TP).

The question would be how to connect wireguard to the RB750 when the 2nd router is behind NAT and i cant forward the port. WIth L2TP this is a non-issue.

Something that crossed my mind as i was writting this is using PPTP, whiout encryption because it is pointless and adds overhead, just to create a tunnel, block everything on that tunnel except the traffic on the Wireguard port. I havent tested this.

WG doesn't require both devices to be reachable, one is enough, same as with L2TP/IPSec.

oh, i see. I didnt need to set the endpoint ip when i set the server peers. Thanks, this is working fine. I really like the results compared to L2TP/IPSEC on the RB951/RB941/RB931 routers.