Is the connection between php server and routerboard encrypted?
With that, yes.
Is my connection secure, even if I'm not using any certificate?
If you're not using a certificate, you have no guarantee that the device you connect to is the one you intended, but you DO have guarantee that no 3rd device would be able to listen in or manipulate data exchanged with that device.
So if, for example, there was a router between your web server and router, and I was an attacker who had control over that middle router, I could dst-nat you to MY own "spy device" with a pseudo router with ADH running, and your PHP app wouldn't know the difference - it would communicate with my spy device, which could in turn perhaps relay this over a new connection to your actual router. Since I could log the info from both ends, this renders the whole encryption thing pointless.
If my router was set such that your web server is behind its NAT, it's even better - my spy device could safely use the middle router's public IP, and your router wouldn't know about my spy device.
But this is still one step better than an unencrypted connection, where an attacker doesn't even need control of a router in order to listen in, but just be in your router or web server's LAN.
Is it any different than regular connection without NetworkStream::CRYPTO_TLS?
It's only different in that the connection is encrypted... Or rather, it SHOULD be. Sadly, it's not currently the same. Due to internal PHP issues, encrypted connections are currently very unstable. They can disconnect (seemingly) randomly.
Keep in mind that even with an unencrypted connection, your router's password is never transmitted in plain text. It uses a CHAP challenge (you know, like in hotspot), which is not trivial to crack - If an attacker gets ahold of the successful CHAP exchange, they can then do unlimited amount of tries on their machine, but they must still actually brute force the password, which can take a long time, depending on how complex your password is and how powerful their machine is.
The more troublesome part is if you're using the API to modify user passwords - those are transmitted in plain text.