What hardware to buy for OpenVPN router in 2020

This article has been last updated on July 28, 2020

At TekLager we sell a lot of open source hardware. Many of our customers value privacy and are fans of various VPN services that protect their identity online. One frequent question we get is "Which router should I buy for VPN?"

Here are our thoughts and recommendations.

OpenVPN router hardware requirements

The most important thing is to buy hardware powerful enough to handle your internet connection without hiccups. There's nothing as frustrating as having a slow, flakey internet connection.

The most important hardware component for VPN speed is CPU. OpenVPN heavily depends on the CPU for encryption/decryption of traffic. Other components such as memory, network interfaces or disk are far less important.

Here's a checklist for choosing VPN hardware

CPU must support AES-NI
OpenVPN software is unable to utilize multi-core CPUs. Make sure the single-thread performance of your CPU is powerful enough to encrypt/decrypt your internet traffic in real time.
RAM - you must have enough memory for the number of connections you want to maintain. 1GB is a reasonable minimum.
Disk - OpenVPN doesn't require much space. 4GB should be enough for the system and logs. If you intend to keep logs for a long time, you may consider a larger disk.
NICs - if you want to use pfSense, choose network interfaces from Intel. pfSense still doesn't perform great with Realtec Network Interfaces.

Why is AES-NI important for VPN?

AES-NI (AES New Instructions) is a new encryption instruction set, baked right into CPU that dramatically speeds up cryptography tasks such as encryption/decryption for VPN or SSL. AES-NI was initially developed by Intel, but most modern AMD CPUs also support it now.

If you are looking for VPN hardware in 2020, you must be careful to avoid the low-end CPUs such as Intel J1900 or J1800 that don't support native entryption.

All hardware sold by TekLager has AES-NI support and Intel NICs.

Which router Operating System should I use for OpenVPN

Some weeks ago we have written a general comparison of router operating systems, but it didn't mention VPN performance.

There are two major groups of operating systems.

BSD-based: pfSense, OPNsense, etc
Linux-based: OpenWRT, IPFire

All of these systems work well with OpenVPN. pfSense and OPNSense are easier to set up and administer. OpenWRT is a little harder to set up (you must use command line), but it's about 40% more performant.

We recommend pfSense and OpenWRT.

OpenVPN hardware appliance recommendations

APU2D0: Entry-level OpenVPN box

APU is a well known, reliable hardware manufactured by Swiss company PC Engines. APU2, APU3, and APU4 routers are the most popular hardware firewalls we sell at TekLager. There are few versions of APU, starting at entry-level APU2D0, to the latest version of APU4C4.

This is the cheapest dual NIC OpenVPN router we sell but don't be deceived, it's a very capable hardware appliance for home or small office.

Tip: in most applications, this box will perform just as well as the more expensive versions.

APU2.D0 router specification

CPU	4 core, 1.0 GHz (1.4GHz boost) AMD GX-412TC (with AES-NI)
RAM	2GB DDR3-1333 DRAM (option with 4GB ECC available)
NICs	2x Gigabit Intel i211AT (Option with 3 and 4 ports available)
Storage	16GB mSata SSD (300MB/s)
Cooling	Passive, fanless cooling.
Power	6-10W - very low power consumption

Operating system performance comparison
	pfSense	OpenWRT
Routing	750Mbit / 1Gbit	1 Gbit / 1 Gbit
OpenVPN throughput	100 Mbit/s	145 Mbit/s
WireGuard VPN throughput	(not supported yet)	650 Mbit/s

Our favorite thing about APU routers is that they are 100% silent, cheap, powerful enough and super reliable.

This box is going to satisfy most of the small office or home users. It's powerful enough to route gigabit traffic and between 100-145Mbit/s over VPN.

( about $180 USD)

APU4.C4 OpenVPN router (most popular)

For those who would like to have a bit more memory, or LAN ports we recommend APU4.C4, which is one step up from APU2D0.

It comes with 4GB of ECC RAM, and 4x Gigabit LAN ports.

APU4.C4 router specification

CPU	4 core, 1.0 GHz (1.4GHz boost) AMD GX-412TC (with AES-NI)
RAM	4GB DDR3-1333 ECC DRAM
NICs	4 x Gigabit Intel i211AT
Storage	16GB mSata SSD (300MB/s)
Cooling	Passive, fanless cooling.
Power	6-10W - very low power consumption

Operating system performance comparison
	pfSense	OpenWRT
Routing	750Mbit / 1Gbit	1 Gbit / 1 Gbit
OpenVPN throughput	100 Mbit/s	145 Mbit/s
WireGuard VPN throughput	(not supported yet)	650 Mbit/s

This router has the same CPU as APU2D0, so it will perform identically when used with OpenVPN.

This configuration is very popular. 4 GB of RAM gives you plenty of space to install additional software packages. Additionally, APU4 comes with a serial-to-USB cable and a wall-mount.

( about $250 USD)

TLSense i7 - the gigabit OpenVPN router

TLSense i7 is a really powerful router.

TLSense series is built do deliver very high OpenVPN and IPSec performance. This hardware is most often purchased by customers who have a Gigabit internet connection and want to utilize it over high-throughput OpenVPN connection.

It's also great if you plan to use IDS/IPS packages such as Suricata or Snort for Intrusion Detection and Prevention.

It has a powerful Intel i7 CPU, 8GB of RAM, and 60GB SSD. It comes with 4 Gigabit Intel LAN ports and an HDMI port, so you don't need a serial cable.

CPU	Intel Core i7 Dual Core, 4 threads, 4M Cache, Up To 3.1GHz.
RAM	8GB DDR3-1333/1600 DRAM ( 16 GB option available )
NICs	4 x Gigabit Intel i211AT ( 6 port version available )
Storage	60GB mSata SSD (300MB/s)
Cooling	Passive, fanless cooling.
Power	15W - very low power consumption

Operating system performance comparison
	pfSense	OpenWRT
Routing	1 Gbit / 1 Gbit	1 Gbit / 1 Gbit
OpenVPN throughput	800 Mbit/s - 1 Gbit/s	800 Mbit/s - 1 Gbit/s
WireGuard VPN throughput	(not supported yet)	1 Gbit/s

( about $515 USD)