Perhaps I will regret it things get congested but I find it's hard to beat SSH
even by Sec/IPSEC (Android client concerns) and I'm considering dropping
Wireguard even over CGNAT despite it's use of UDP and my preference is now the
following for sshd_config.

Ciphers = aes256-gcm@openssh.com

My conservative bones would prefer something like AES-SIV but unless people
still have concerns about the complexity of Galois Counter Mode (GCM) then as
mobiles now support AES acceleration and PMULL in BoringSSL then does it make
sense to move GCM above chacha as the default setting. Perhaps?

aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-gcm@openssh.com?

-- 
All the best,
             Kevin Chadwick