The normal solution to that problem is to tunnel the UDP over TCP, for example with this: https://github.com/wangyu-/udp2raw-tunnel

> OpenVPN is horribly difficult to set up.

That statement could need some more explanation in my opinion. I never felt it being much difficult.

Using easy-rsa, choosing the right ciphers and other protocol options always seemed overly complex and opaque to me. Wireguard was a breath of fresh air in comparison.

There are multiple setup scripts like [1] that make it super easy to setup OpenVPN.

[1] https://github.com/Nyr/openvpn-install

Makes it super easy but even more opaque, that is not a good thing with incredibly security-related software.

Isn't it common advice to not roll your own crypto? If this software has sensible defaults, I see no problem with using it.

It is, but with this script it's a third party rolling their own crypto for you :D. OpenVPN should have good defaults instead.

Compared to Wireguard though...

It sounds like OP would've like to use wg really, but only had TCP 80/443 to play with.

Compared to Wireguard, OpenVPN is easy to set up wrong but difficult to set up right.

Most people configuring their own OpenVPN installation will think the job done when it begins functioning, but there is a difference between functional and secure; just look at telnet! OpenVPN makes it too easy to create a system that 'works' but isn't secure.

Suppose you tunnel wireguard traffic through a plain-jane unencrypted TCP connection?

ah excellent. Everything makes sense now. :-)