Last year I started shopping for hardware for my home network. I concentrated on x86 because I have some experience with OpenWRT as well as pfsense and other x86 based router firmware.
So I settled on a Shuttle DH170 with an intel dual core G4400T (35w) and a single 2gb stick of DDR3L ram. I spent the last half year or so tinkering with the other firmware while waiting for ATT to finish the fiber install in my neighborhood. 3 weeks ago ATT got me hooked up with 100mbps and last week I upgraded to gigabit. Yesterday I got my vpn provider setup (airvpn) and ran a test running 6 concurrent ubuntu torrents to saturate the vpn connection.
Result: over 700mbps download via OpenVPN. Not bad for less than $200 worth of hardware (some new some used on ebay).
Granted my DH170 does not have wifi built in (you could add that if wanted), so I used my previous Asus RT86U as an access point and called it a day.
This conversation made me think - what's available as far as cheap x86?
There seem to be quite a few cheap Z8350 offerings (around $100 total for a fully assembled system), and the Z8350 has AES-NI support, so should in theory provide decent OpenVPN throughput if you set things up to use AES-NI.
I bought an ACEPC T8 from amazon and it was around 100 Euros (Inkl Gigabit Ethernet), maybe cheaper from Gearbest. Couldn't benchmark it yet as I am struggling to get openwrt to boot on UEFI mode. But I think it will be way faster than the Odroid XU4 or the Rpi 3
I used AMD GX424CC based Thin Clients, they are on eBay for ~30$ and are fully capable with AES-NI and what not... Only 20watt fully loaded. No moving parts - they can run forever. One PCIe can be used for 2nd LAN (or if no greater than 500mbps is required, simple managed switch and vlans will do the interface job.
Never tested on Thin Clients, should be less than a full size desktop but not dramatically less.
I did test VPN with pFsense on HP ProLiant DL360 G6 (2xQuad-Core E5540) and got line rate with <40% CPU load.
I can test if you need it. I have a couple as HTPCs, one GX420 and one GX424
If you choose well, you can remain below 15 watts idle (the most common power state, even for a moderately busy environment) for the whole system - in comparison many of today's top-end ARMv7/ ARMv8 wireless routers chugg around 20+ watts out of the wall.
Personally I'm running a passively cooled Baytrail-D (Pentium J1900) system (ASRock Q1900DC-ITX, 500 GB 2.5" spinning rust, 8 GB RAM, 19V/ 60 watts notebook PSU) at 6 watts idle (measured at the wall); below 30 watts under artificially full load on all cores/ active HDD (albeit as a LAN server, not as router).
Edit: general rules of thumb:
CPU graphics, no discrete graphics card (<-- immediate bump to >30 watts idle)
no optical disk drives (often bad firmware implementations, preventing the SATA controller and CPU from sleeping)
few SATA ports in use (so the others can power off)
well selected mainboard, with few bells and whistles (BIOS, onboard components, LEDs etc. can bump idle power consumption a lot)
desktop/ mini-ITX, notebook'ish hardware, server class mainboards or CPUs will draw a lot more power
DC-to-DC power can help you save a little more, but this is just the icing on the cake and not strictly necessary.
With well selected components (and reducing optional features, even if it looks innocent on its own) you can even keep a (haswell or newer) top-end i7 between 11-17 watts idle (obviously these can draw a lot more under full load, but the idle power consumption has the biggest impact on your power bill).
I use Dual core Celeron N3050 silent miniPC. TDP is 6W (all cores 100%).
OpenVPN thoughput is roughly 170Mbit per core. Router itself is mostly drawing <10W with moderate load. SSD and passive cooling.
It is important to keep in mind that OpenVPN is single-threaded. So if you plan to have more than one OpenVPN session, extra cores can be useful (but every session will top out at speed of single core).
If you only need to "bridge" to VPN provider, two cores are enough: one will handle VPN and another will do routing, FW and Luci.
Also, picking a CPU wihout AES-NI is usually not worth it.
Figured I would update my setup. I had an Amazon Gift card which allowed me to "downgrade" to a J3455 based embedded board. Results? Still capped my 400/20 (470/23 realworld) cable internet across the VPN connection.
Another thing to think about is OpenVPN 3 will be multi-threaded so multicore CPUs will have even better capabilities so I should be set for the future.
Final Build:
J3455B-ITX
4gb DDR3L-1600
60w pico PSU
M-ITX case w/gpu relocation
2 Port Intel Server NIC (from Ebay)
Setup:
VPN Connection to AirVPN with Policy Routing
Wireguard VPN on WAN for Roadwarrior network access.
AdguardHome running inside OpenWRT for all my DNS based blocking needs
Expectedly good performance with what should be very low power consumption. I have a Zotac CI327, believe it's a J3450, very similar... though I have yet to use it for a VPN, or measured it's at the plug power draw.
Good point about OpenVPN 3 (first I've heard of it), they better hurry before everyone migrates to Wireguard.
