Which side of the tunnel should be the tunnel client/tunnel server?
Scalability concerns -
This is somewhat counter-intuitive. The tunnel server uses a fair amount of computing power. So, in a scenario where you have a central hub and several remote hubs attaching to the central hub it is better for the remote hubs to be the tunnel servers. This means that each incremental remote hub only adds a tiny amount of overhead to the central hub.
Security concerns -
This consideration is all about which side initiates the connection (regardless of information flow once connected). The more trusted side should be configured as the client. The best example of this would be a hub in the core of a business connecting with a hub in the DMZ. The firewall between the core and the DMZ would generally be configured to block ALL connection requests from the DMZ into the core. (After all, that's the whole point of a DMZ.) The firewall is told to allow a one-way conversation between the two hubs initiated by the core into the DMZ. (The core is more trustworthy than the DMZ.) In this case, the core hub is configured as the tunnel client which will initiate the connection to the hub in the DMZ (which is configured as the tunnel server.)