https://medium.com/avenum-technology-blog/benchmarking-pppoe-connections-with-openwrt-and-opnsense-f5fe6c30b70 among others are why I mentioned OpenWRT. Academic given you've the same box doing termination, firewall and VPN concentrator so configuration somewhat complex but thought I should explain.
That's really interesting, but as you pointed out I really wouldn't fancy trying to replicate this configuration on OpenWRT, even if I do prefer Linux. Honestly that Atom is 10 years old and was a weak CPU even at the time, I'm kinda shocked OpenWRT was able to perform so well.
I'm actually testing out moving a couple of my OpenVPN instances over to Wireguard. Unfortunately there seems no easy way to specify what WAN to use with Wireguard, or I'd probably switch them all over. From what I can gather Wireguard is much more fault tolerant down to less overhead and assuming the link is always up, so a little bit of packet loss wont bring the link down restarting the firewall like OpwnVPN does.
Oh one thing about OpenWRT vs pfSense/OPNsense, the power management seems awful in FreeBSD.
I have a newer appliance (i5-8250U) that I was considering as a replacement for the current one (just in case) but it clocks at 1.6Ghz vs boosting to 3.2Ghz on Linux, as FreeBSD seems to be ignoring that the TDP is unlocked and sticks to the default. PowerD behaves oddly even on the 7200U, I ended up disabling it and letting it lock to 2.4Ghz.
