I've been pondering how best to do this, and I have some ideas. What we all want is a magic box that you plug in ("bump on the wire"), and it makes your VPN stuff just work.

But I'd also like something that can do site-to-site VPNs. We just want "a box at each end". How best to do that too?

Hardware

Assume ethernet.

For a site-to-site you can use a single-port device I think, but 2-port is nicer. The single-port case uses VLANs to separate the traffic, unless your remote-clients live in the same subnet. That's actually a really nice setup, but it's a little more complex to manage.

If your router/gateway has a LAN2 port (thinking of Unifi gateways here), you can plug the "remote" port of the VPN appliance into that, so the router/gateway treats it as a separate LAN and should just work when it comes to routing.

For a road warrior setup, a 2-port device lets you have a clean "inside" and "outside" port separation. This assumes you'll proxy all your traffic via the "home" end.

DIY or off the shelf

For DIY I'd use a raspberry pi or similar. For off the shelf it looks like Microtik's RouterOS has it builtin, so that'd be a great option there.

Microtik

• Gigabit ports and actually in stock, $120 AUD: https://wisp.net.au/mikrotik-hex-s-rb760igs-5-gigabit-ethernet-sfp-256-mb-ram-usb-microsd-routeros-l4-ipsec.html

• 100Mb ports, $88 AUD: https://wisp.net.au/mikrotik-rb750upr2-hex-poe-lite-650mhz-64mb-5-lan-usb.html

• Above those prices, you find the Routerboard devices like this, $158 AUD: https://wisp.net.au/rb2011ils-in-1sfp-5fe-and-5gbe-includes-case-and-power-supply.html

DIY

Depends on how much traffic you want to handle, but gigabit is a good futureproof option if you can spend the dollars.

• An RPi 3B+ is about 60 AUD plus shipping. Can we do it cheaper? All we need is ethernet, and a decent amount of CPU grunt.

• Rock Pi S is $15 USD (about 20 AUD) plus shipping, only 100Mb ethernet and low power, 512MB RAM and no wireless 'cause it costs extra. https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-s?variant=29067635458150

  • Powered by USB-C 5V

• Rock Pi E is $35 USD (about 47 AUD) plus shipping, 1Gb + 100Mb ethernet, better CPU, 1GB RAM and has wifi 'cause it's only $3.50 extra. https://shop.allnetchina.cn/collections/frontpage/products/copy-of-rock-pi-e?variant=31974543392870

  • Powered by USB-C 5V

The RK3328 in the Rock Pi E is about half as performant as the BCM2711 in the RPi4, but the board is way cheaper. I'd call it a win for this application. https://www.cpubenchmark.net/compare/Rockchip-RK3399-vs-BCM2711-vs-Rockchip-RK3328/3987vs4297vs4295

The Rock Pi S has an RK3308, and is probably even slower, but it's not made for speed. It's made for IOT stuff

Accessories:

• Rock Pi S has a convenient case: https://shop.allnetchina.cn/products/rock-pi-s-case?variant=31957891088486

• Rock Pi E passive heatsinks: https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-model-e-heat-sink-kit

There's also the RPi CM4-based solutions, like this one: https://www.dfrobot.com/product-2242.html - note that this is the carrier only, you still need to buy the CM4 itself as well.

Config in RouterOS

• https://rickfreyconsulting.com/wireguard-site-to-site-vpn-example/

• https://help.mikrotik.com/docs/display/ROS/WireGuard

GPS NTP time server

Unrelated, but a good spot for it because it's a Rock Pi S inside: https://centerclick.com/ntp/