I've been pondering how best to do this, and I have some ideas. What we all want is a magic box that you plug in ("bump on the wire"), and it makes your VPN stuff just work.

But I'd also like something that can do site-to-site VPNs. We just want "a box at each end". How best to do that too?

Pricing model

2x Rock Pi S with POE hats and cases are 106 USD. One of them has 1GB NAND flash (28 USD) and the other doesn't (19 USD). Both have radios and POE.

Hardware

Assume ethernet.

For a site-to-site you can use a single-port device I think, but 2-port is nicer. The single-port case uses VLANs to separate the traffic, unless your remote-clients live in the same subnet. That's actually a really nice setup, but it's a little more complex to manage.

If your router/gateway has a LAN2 port (thinking of Unifi gateways here), you can plug the "remote" port of the VPN appliance into that, so the router/gateway treats it as a separate LAN and should just work when it comes to routing.

For a road warrior setup, a 2-port device lets you have a clean "inside" and "outside" port separation. This assumes you'll proxy all your traffic via the "home" end.

DIY or off the shelf

For DIY I'd use a raspberry pi or similar. For off the shelf it looks like Microtik's RouterOS has it builtin, so that'd be a great option there.

Microtik

• Gigabit ports and actually in stock, $120 AUD: https://wisp.net.au/mikrotik-hex-s-rb760igs-5-gigabit-ethernet-sfp-256-mb-ram-usb-microsd-routeros-l4-ipsec.html

• 100Mb ports, $88 AUD: https://wisp.net.au/mikrotik-rb750upr2-hex-poe-lite-650mhz-64mb-5-lan-usb.html

• Above those prices, you find the Routerboard devices like this, $158 AUD: https://wisp.net.au/rb2011ils-in-1sfp-5fe-and-5gbe-includes-case-and-power-supply.html

DIY

Depends on how much traffic you want to handle, but gigabit is a good futureproof option if you can spend the dollars.

• An RPi 3B+ is about 60 AUD plus shipping. Can we do it cheaper? All we need is ethernet, and a decent amount of CPU grunt.

• Rock Pi S is $15 USD (about 20 AUD) plus shipping, only 100Mb ethernet and low power, 512MB RAM and no wireless 'cause it costs extra. https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-s?variant=29067635458150

  • Powered by USB-C 5V

• Rock Pi E is $35 USD (about 47 AUD) plus shipping, 1Gb + 100Mb ethernet, better CPU, 1GB RAM and has wifi 'cause it's only $3.50 extra. https://shop.allnetchina.cn/collections/frontpage/products/copy-of-rock-pi-e?variant=31974543392870

  • Powered by USB-C 5V

• The NanoPi R2S is comparable to the Rock Pi E: https://www.friendlyarm.com/index.php?route=product/product&product_id=282

The RK3328 in the Rock Pi E is about half as performant as the BCM2711 in the RPi4, but the board is way cheaper. I'd call it a win for this application. https://www.cpubenchmark.net/compare/Rockchip-RK3399-vs-BCM2711-vs-Rockchip-RK3328/3987vs4297vs4295

The Rock Pi S has an RK3308, and is probably even slower, but it's not made for speed. It's made for IOT stuff

Accessories:

• Rock Pi S has a convenient case: https://shop.allnetchina.cn/products/rock-pi-s-case?variant=31957891088486

• Rock Pi E passive heatsinks: https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-model-e-heat-sink-kit

There's also the RPi CM4-based solutions, like this one: https://www.dfrobot.com/product-2242.html - note that this is the carrier only, you still need to buy the CM4 itself as well.

PoE

POE is great, use it if you can. POE hats are nice, but a bit pricey; an alternative is a POE splitter.

• Micro-USB splitter, $21.55: https://core-electronics.com.au/poe-splitter-with-microusb-plug-isolated-12w-5v-2-4-amp.html

  • $25 at Jaycar
• USB-C is good for RPi4 and Rock Pi devices, various prices on Amazon and Ebay

  • $54 AUD for 2 of them, shipped: https://www.amazon.com.au/UCTRONICS-PoE-Splitter-USB-C-Compliant/dp/B087F4QCTR

  • $63 AUD for 2 of them now? How? Because it's via US site? https://www.amazon.com/gp/product/B087F4QCTR/

• Hats branded as DSLRKIT are also available and a bit cheaper. Needs research.

If you can get the POE hat cheaply that's the best way to go. It seems practical for the Rock Pi S, which has a 14 USD hat that also fits in the standard case. Converted price of $19 AUD is less than a POE splitter. Win!

https://shop.allnetchina.cn/products/rock-pi-s-poe-hat?variant=31847599931494

Config in RouterOS

• https://rickfreyconsulting.com/wireguard-site-to-site-vpn-example/

• https://help.mikrotik.com/docs/display/ROS/WireGuard

GPS NTP time server

Unrelated, but a good spot for it because it's a Rock Pi S inside: https://centerclick.com/ntp/