While I was watching for old stuff I could play with on ebay I noticed that a few sellers are offering a few "cloud managed routers" (i.e. if you don't pay a subscription they are paperweights) from a company called "simplewan" that looked oddly familiar.
here some pictures (from auctions, not mine) they are bright orange.
The images are a dead giveaway, these devices seem to just be a branded version of PCEngines APU1 (the ones with black USB 2.0 ports) and PCEngines APU2 (the ones with the blue USB 3.0 ports) mini-PC firewall/routers.
These devices are labeled SW301DA or SW302DA but it is unclear if that relates to the hardware inside, the only 100% sure way to tell them apart is the USB ports on the back. Since you probably want the APU2 ones because they are better, ALWAYS watch the photos and send a message to the seller to confirm that you are getting the ones with BLUE USB 3.0 ports.
I've seen some that have been branded by someone else (kumo or xactlink or nextiva) and have a box with a different color (blue or gray) but they are all called "simplewan" in the listings and are obviously the same thing if you look at them from the port side.
PC Engines APU devices are generic mini PC firewalls with a BIOS so it's a good candidate for reuse with OpenWrt or pfSense OPNSense or IPFIre.
This is APU1 board https://pcengines.ch/apu.htm
and this is APU2 board https://pcengines.ch/apu2.htm
The case also acts as a heatsink so it's a fanless device
I bought the ones with USB 3.0 ports and they were indeed APU2C2 from PCEngines (2GB ram, 3x gigabit ports with Intel ethernet).
This is the spec page of the devices I have bought and opened https://pcengines.ch/apu2c2.htm
They seem to be running some random BSD-derived firmware on the same 4GB SLC SDcard PCEngines also sells. Mhh, a free 4GB SLC Sdcard is included boys.
Yes I'm not in the US but I still managed to get heavily discounted prices on a few lots (well below market price in the EU while still paying the import fees) because apparently nobody wants to buy used "cloud managed routers" aka hardware that does not work without paying a businness subscription to simplewan.
But since the hardware is not really locked down, you can just open them, pull the SDcard and flash whatever you want on it. Or install a mSata SSD and run from that. The devices are not "locked" to use only their original firmware.
The brand/logo can be easily removed from the case if you leave the metal part in a bit of "gentle nail polish liquid" (i.e. not straight acetone) overnight for the white ink to soften up and then remove gently with a plastic tool. You need a sealed plastic container for this to work, of course.
This other site (that sells normal PC Engines APU new in EU but is otherwise unrelated to my post) has a few articles you might want to check out, for connecting to these devices using the serial port from Windows https://teklager.se/en/knowledge-base/serial-connection-putty-windows/
And upgrading the coreboot BIOS to a more recent version (which isn't strictly required to use OpenWrt, but newer versions should unlock CPU turbo so it would get some more performance)
As for performance, APU2 can NAT at full Gbit on Linux and 650-700 on pfSense (see benchmarks here https://teklager.se/en/knowledge-base/apu2c0-ipfire-throughput-test-much-faster-pfsense/ and in the other article where they mention OpenWrt being at 1Gbit on single or multi streams, because Linux https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/ ).
It also has AES-NI crypto acceleration.
They mention "with a new bios" for the pfsense performance because new BIOS enables CPU boost to 1.4 Ghz so the CPU can clock higher when only a few cores are loaded (as I said BSDs can only run the interrupts on a single core)
They also show some benchmarks for VPN performance on APU2 and it's 100-150 Mbit/s for OpenVPN (again pfSense is lower and OpenWrt is higher), or 600 Mbit for Wireguard https://teklager.se/en/knowledge-base/apu2-vpn-performance/
APU1 are less powerful than that, and have no AES-NI support but you can still expect around 900 Mbit/s NAT on Linux and closer to 500MBit on pfSense and OPNSense