OpenVPN TCP under port 443, no firewall is normally dropping packets to that port or queues it for special DPI.
Cannot really have IPSec tunnel in a hostile environment without being noticed.
Having UDP traffic under port 500 and 4500 is screaming to the BOFH that runs the network - "hey look at this guy, he is running IPSec".
I get your point, but I'm afraid it all depends on the actual hostility of the environment. First, I've seen firewalls doing MITM and then DPI on https (as they are made by renown vendors, their CA certificates are trusted so the browsers happily accept the forged site certificates signed by those). On one of them I've tried an IKE(v1) based Cisco VPN and it ruined it by manipulating its packets' contents, hard to say whether intentionally or due to a bug. So I suspect that if such a firewall wouldn't find http traffic as the TLS payload, it would not let it through anyway.
I originally supposed that you talked about unreliable networks rather than firewalls policing traffic from the internal network to the internet.
With both OpenVPN and IPsec, you can use a different port for UDP than 1194 and 4500 (and 500 if the client needs it) by means of NAT rules; the question is again just the degree of paranoia of the firewall admin.
Last time (decade ago) I setup IPSec I swore that I would not touch it ever again.
That's a matter of personal choice. If you don't intend to use IPsec routinely, there is no point in learning it; if you do, addition of a new client into an already running environment is as easy as with OpenVPN. But as you mention the value of your time (nothing bad about that!), I assume you haven't given RouterOS 7 beta a try? As people here report that the OpenVPN implementation there finally started supporting UDP transport, maybe there are other improvements too?
I am happy to sacrifice CPU and throughput for security.
I run OpenVPN permanently on my android phone, surely if the CPU on a phone can handle this (while doing many other things), the ARM on something like hAP AC2 should be also able to handle modern cyphers?
Well, my remark was at first place a technical one, correcting your statement that sha512 was not supported on hAP ac² at all. And regarding CPU usage, the CPUs in phones are usually several times more powerful than those in SOHO routers such as the hAP ac2, and deal with the VPN traffic of a single client; the router typically has to deal with VPN traffic of tens or hundreds of clients so hardware acceleration of encryption makes sense. Again, it is a matter of personal preference - if you don't mind dedicating a router to each two or three clients, why couldn't you run encryption in software.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.