Any time I bother to use a VPN I also use a network slug[1].
I don't want to worry about implementation errors or weird bugs or DNS leaks or anything like that.
A slug, which is a "transparent layer 2 firewall running on a device with only two interfaces" generally breaks your entire network if your VPN is not working exactly as you hope it will.
- Pre-filtering per Geo IP
- 2FA
- VLAN separation, different users and different subnets, once connected
I am using both IPSEC and OpenVPN - they have different application/purpose and I need both.