Double NAT configuration

You’re right that OpenVPN and DDNS can run on a PC behind a NAT router as long as the upstream router handles all the port-forwarding—but imho that’s exactly the reason Netgear disables them in AP mode. In AP mode the router stops being a gateway and becomes just a layer-2 bridge, so it has no WAN interface, no firewall, and no ability to automatically open or manage the ports that OpenVPN or DDNS depend on. Netgear could technically allow those services to run, but they would only work if the user manually configured the upstream router to forward all the required TUN/TAP ports to the AP’s LAN IP, and even then the AP would still be advertising a DDNS hostname for a WAN IP it doesn’t control. 

Along the lines of the upstream router needing to be configured, another big issue is that even if Netgear allowed OpenVPN and DDNS to run in AP mode, supporting it would be extremely difficult because the upstream router—where all the port-forwarding must occur—could be made by literally any manufacturer, each with different interfaces, capabilities, and terminology. Some routers bury or limit port-forwarding options, some don’t expose the needed settings at all, and others behave inconsistently depending on firmware or ISP restrictions. So Netgear would be responsible for troubleshooting OpenVPN setups that depend entirely on hardware they don’t control. That’s a support nightmare; they’d have to diagnose problems on every imaginable brand of gateway just to make a feature work that the AP isn’t really designed to host in the first place.

These are big reasons why vendors disable these features in AP mode, even though they’re technically possible.