Let's presume we have hardware powerful enough to run, say, a VPN, a reverse proxy, a publicly accessible web server, etc.. If we don't take liberties with the firewall, and presume the non-critical software is at least as secure as the routing software, what would be the actual security risks involved in doing something like this?
@slh mentioned in another post:
Does this apply to the scenario described in the first paragraph too? What about type-1 hypervisors?
Don’t? It’s a router after all. Just because you can, doesn’t mean you should.
Let's clarify here....
There are considerations on multiple levels here…
First of all the security exposure of your router, which is the gatekeeper of your network and exposed to the outside. Keep this small, avoid 'optional' services on this device, its hard- and software.
Then the hardware, in the past decade we've seen quite a lot of security improvements on the hardware side (memory randomization, NX, …), x86_64 and ARMv8 have gotten a lot of attention in this domain, ARMv7 only a little, mips basically none at all (its ISA development ceased in the late 90s). This does help hardening the software.
Finally the OS side, a typical router is mostly fixed function, it only filters- and forwards packets, but usually doesn't consume external (untrusted) input. The number of packages involved is rather limited and therefore also getting a lot of attention by OpenWrt developers, security updates will be released (with new image) in time for these. A server (http, file, mail, ...) needs to receive untrusted input, while at the same time having a rather large dependency stack, all of which may contain security issues - which need timely updates, daily. But OpenWrt isn't really catered to in-place upgrade, nor do the packages involved get as much attention as the more basic networking packages (even more so when it comes to timely attention). These may work in a more or less trusted home environment, but I really wouldn't expose these to the hostile internet.
If you want to host a public server, please run it on dedicated x86_64 or ARMv8 hardware, running an up-to-date general purpose distribution (arch, debian, fedora, gentoo, mageia/ mandriva, OpenSuSE, Ubuntu, …).
I'm sorry, but telling someone to do (or equivalently: don't) do something with barely a hint as to why is about the worst answer one could produce.
The primary gateway. I'm living in an are with ludicrously expensive electricity, so running everything on a single power-efficient device would seem optimal, at first glance.
On the primary gateway, it is not recommended for all the reasons @slh stated.
You are much better off using another device behind your router for serving files/services. Consider a low power SBC like a pi or similar.
That makes sense, thanks. I'll mark your answer as the solution once the activity in this thread stops.
Then again, with hypervisors, OpenWrt and, say, Debian would be running in separate machines with separated primary and secondary memory. This still is less safe than separating the systems into physical machines, but theoretically not by much, right?
Yeah, I considered that same question before buying a small i3-n305 fanless pc to use as my all-in-one router + home-server.
The way I see things, having openWRT in a VM rather than bare metal does not significantly change security. It (obviously) only makes a difference versus attackers that can attack the hypervisor (or neighbor VMs) from inside a VM.
That indeed can happen (one could say you're already in trouble if you're targeted by attackers with the skill and motivation to go to such lengths to hack your home server... If someone is after you, the more realistic approach does not care about VMs or bare-metal : https://xkcd.com/538/ ).
But then, the biggest risk by far comes from other apps with bigger attack surface and more frequent usage, like nextCloud. If one such app is hacked and the attackers have a way to escape its VM to attack the hypervisor or neighbor VMs, then they already got their hands on the targets I care about. Having the router in a separate, bare-metal box does not change anything in that scenario : it's neither a valuable target (in itself) nor a significant attack surface.
So : all-in-one hypervisor with openWRT + every services as VMs, and no service exposed to the outside except Wireguard seems like a pretty good fit for a typical home infrastructure. Very poweful, flexible, economical, and ecological (around 10 watts total power usage, including LAN switch - I chose a 6 ethernets ports mini-pc)
This seems very reasonable. I probably couldn't have asked for a reaction that is better structured than and as exhaustive as this!
As you said,
For me, that implies […]
In my experience, I have run custom BIOS/OS on dedicated hardware appliances (nas, routers) with much more difficult issues than my experience with VMs. The hardware is one PC, most issues can easily be rolled back in the hypervisor tools.
So for me : K.I.S.S. ⇒ keep it in a hardware you're familiar with, running an OS you're familiar with ⇒ in a PC server, running proxmox. 
And good points about planning replacement devices.
And configuring in one place. That's why my routerVM owns its nics, and handles all network configuration. proxmox really only runs the VMs, saves snapshots/rollbacks, nothing more.
In the end there's really not much difference vs router in its own hardware, except I can manage that virtual PC much more comfortably than I would a real device, with its own BIOS, own on/off button, own boot disk...
If your reason for centralising on one device is to reduce electricity usage moving to an x86 platform is not likely going to achieve that aim.
Quick google search shows i3-n305 devices consuming 9-11w at idle and 29w under normal load (from serve the home review).
2 Low power arm devices (such as an all in 1 router and a separate raspi server) can easily stay below 10w while also providing wifi.
My a decade old Atom j1900 needs 6 watts from the wall, another with four 1000BASE-T ports needs 11 watts (that's idle usage, aka 'normal' operations, they might hit 25-30 watts under artificially high load, e.g. ffmpeg/ x264 transcoding). A Fujitsu D3400 kaby-lake mainboard can hit 13 watts idle with an i5-7xxx and a pico-PSU, a Fujitsu Futro s920 with AMD GX-424CC CPU may get away with 4.5 watts idle.
I have seen new ARMv8 based APs that need 23-25 watts idle and can go beyond that under full steam; my nbg6817 needs around 15-16 watts.
Thinking that ARM is always more efficient than x86_64 is simply not true, ARM has no magic bullet either. If you want high performance, there is no real difference in their power consumption (but x86_64 still has an easier time to achieve top performance). x86_64 has made quite major and successive gains in terms if power efficiency since sandy-bridge (and their Atom line-up), but you do have ti select your components carefully (mainboard, PSU, no dedicated GPU). And unless you're a university campus or big company, the predominant system status of your router will be idle or close to idle, with relatively short higher load peaks.
The values have been measured, at the mains plug, over a longer period of time and during normal operations.
Thanks for that elaborate answer!
Which hypervisor do you use on that system? I was thinking about either running containers directly from OpenWrt or using an immutable OS like CoreOS or Flatcar as the container host.
I do agree with slh on many things : running additional software from inside openWRT should be avoided if possible
I run openWRT inside proxmox. You could also use vmware ESXi, or debian+libvirt if you're used to it and know how to configure everything. It is better this way than the other way around (running stuff within openWRT)
But my i3-n305 box can :
all for 10 W idle (which is 99% of the time)
How do you see ARMs helping in there ?
Basically, to run VMs you'll need a x86_64 (and close to 10 W), so from there the power usage optimality of an "all-in-one mini pc" setup is very easy to establish.
Where in the originating post did the OP refer to running multiple virtual machines?
Clearly that’s your use case but that doesn’t mean it’s the solution for everyone.
Also what wifi hardware did your mini pc come with that it can replace an access point?
I think a "general-purpose server" means running a few different services, and for quite a while that has been done with virtualization (or containers). But I might be interpreting too much ? Do you recommend running "VPN, a reverse proxy, a publicly accessible web server, etc.. " all in one OS that is not specifically designed for the role of running siloed apps in the most secure and flexible way ?
Regarding wifi : my box comes with a PCIe expansion slot, and 2 holes designed to fit antennas. Using those would probably not provide as good a signal as my Netgear R7800, which sits at the center while the all-in-one router has to be close to the optic fiber. It's good but draws as much power as my mini-pc. Adding wifi to my pc and placing a smaller wifi device where signal is low could shave a few watts overall : I'll think about that when the netgear starts failing.
In the meantime, with or without wifi, recent x86 hardware makes it possible to choose a "general-purpose server" that can also act as a router quite well, all for around 10 watts. Adding dedicated router appliances can only increase power usage.
This is a game of trade-offs, as far as I can see, and I think there is no right or wrong here. However it helps if the local administrator is aware of the trade-offs involved. So far this thread did a decent job of enumerating these (either explicitly or by offering relevant links).
Some functionality can be quite convenient if run on a router (e.g. offering OpenVPN or wireguard for remote access to one's own network), while other stuff like a publicly available webserver likely is better off when run at arm's length of the core router (but whether by VM or as a dedicated device seems less important to me). But in the end I think the guidance should be "your network, your rules".
This is a good idea! I only recently started to look into this and e.g. changed my two old x86 machines (acting as file servers) from 24/7 operation to when I actually need them (which is much less inconvenient than I originally thought when I "slipped into" 24/7 just on the hunch I might need to access these remotely anytime). Saving power is a good idea, even if electricity would be cheap 