I think wireguard or tailscale might be still the best option, for a few reasons let me explain:
-
it uses udp, the cool thing about udp is that it is stealth from port scanners, wireguard is designed in such way that it does not respond if a auth has been failed, or a port scan is being used, tcp however will reply with a icmp reply or auth failed which you see on openvpn type of vpn this makes you alot more exposed a workaround is to look into port knocking but you can wonder how viable that is.
-
also wireguard has a smaller code footprint meaning its code is better managed which could lead to less chance it has vulnerabilities, on the other side its still new and new software can also come with vulnerabilities so far its secure
I guess you need to check some youtube tutorials how to configure a site to site vpn, or check gl documentation Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X)
For luci:
