linux

Suricata IPS on Vpn server?

Hello, Dear Connoisseurs)
For several days I have been racking my brains over installing the IPS Suricata system on an openvpn server. The task is to listen to traffic entering the vpn tunnel and outgoing from it and block some kind of muck.
In IPS mode, there are several options for working: NFQ and AF_Packet. What is the best way to accomplish this task?
In NFQ mode, a queue is created, which is submitted for meerkat processing. As I understand it, this creates an additional delay in the data transfer rate (and the speed is critical, because through vpn there is traffic in PM and Sip-telephony) + you need to bother with Iptables.
In AF_packet mode, the meerkat acts as a network bridge between two interfaces. But if you connect it to tun0, then it will not recognize encrypted traffic. Is it possible in some way (for example, a network bridge from virtual interfaces) to put a meerkat in the gap between tun0 (looks at the vpn tunnel) and eth0 (looks at the Internet), so that it detects traffic from both sides? How to do it?
Perhaps you should not dismiss the option with NFQ, if it will not significantly reduce the speed.
Which option is easiest to implement and how?