I use 3.5x. It is now really 4x because I went from -capacity 12 to -capacity 9 and never made the change. In a previous post someone mentioned 2.5x just to be safe. I guess in case destroying a used port is not yet complete while the exact 2 ports are trying to be re-used for a new connection.
I started at 65534 and went backwards. I avoided using the last port 65535 just because so for you and 2x this would be 65525-65534.
I use -ephemeral-ports-range “65497:65534” -capacity 9 -unsafe-logging -verbose and I keep stats
What bothering me also is process of avoiding any VPN being possibly deployed on the router itself.
Don’t understand this. Do you mean someone compromising your system? Hmmm probably not wanting to have to use a VPN on your router.
With -verbose and -unsafe-logging you will see exactly which IP is connecting and all kinds of other stuff.
Have no tips for OpenWRT since I have only tried that one many years ago.
Good luck