You can use the MacOS Network settings to connect to most types of VPN (hit "+" and fill in the forms to add a new connection). For free, open-source clients, Tunnelblick is very common.
macOS and iOS don't support OpenVPN with the built-in client. You can use strongSwan-based VPNs (e.g., as would be deployed through Algo) or Cisco, but for OpenVPN you'll need a custom client which, unfortunately, very likely brings along its own .kext.
TunnelBlick comes with a tun/tap kext that is signed. This is not required on systems where Apple already has tun/tap support compiled in (not sure when that started, but it's been a long time)
From the known issues page:
"If you are running on OS X 10.6.8 or higher and using OpenVPN 2.3.4 or higher and using a TUN device, the default Tunnelblick setting to "Load Tun Automatically" (on the "Advanced" settings window) will avoid this problem by not loading the tun kext — OS X's built-in "utun" device will be used instead of a "tun" device."
Is a .kext actually required for a vpn client? My understanding is that TunnelBlick just creates a tun network in user-space. Why would it need to be in the kernel?