Given the apparent state of affairs, it seems like the vendor or vendors who care should bake a vpn into their firmware to provide better protection. Of course it is possible to use a pi or perhaps integrate into an open source firmware, but having a simple vendor provided config would be much better for adoption rates.