Why don’t people use client certificates
The difference is that the client certificates are usually implemented as part of the web server. If there is a issue with either configuration, or bug in the web server, you potentially immediately can bypass the certificate requirement. On the other hand a VPN is often a completely separate piece of software, that is operating at the network layer.
Another thing. If you run a simple port scan against the Internet it is easy to find http/https servers. Some VPN protocols that have been strongly configured will be more or less invisible to any kind of port scans. This eliminates a lot of the scanning and probing get for basically thing that is visible on the Internet.
Not saying client certs don’t have their place. Just not sure I would choose them, when I think a VPN provides stronger protection, and is potentially pretty easy to implement for a selfhosted environment.
Yes, I understand what you mean, and you don’t seem to be misunderstanding how TLS client certificates function.
But my point was, that usually it is web server is that accepts and validates the client certificate. A web server is externally visible, and so it is potentially something that can be attacked even if the attacker doesn’t have a valid client certificate.