A handful of us are running AMD RX-427BB machines as hypervisors for this. Check out the HP T730 thin client or the DFI DT122-BE, they're both very capable little AMD machines that can easily host a pair of router VMs with lots of overhead to spare.
Initially I was just looking at a single firewall box, then I realized I could host a pair of firewall VMs on that box and do A/B upgrades without losing service. Then I thought I'd like to be able to take the hypervisor down for maintenance without losing service as well and it just spiraled from there.
I'm working on clustering a pair of these as Proxmox nodes with failover for a pair of pfSense VMs. My project goals are to be able to route/firewall 10GbE inside my network at (close to) line rate, route/firewall 1Gbps WAN, to be able to take down either of the clustered hypervisors for maintenance without losing routing, to be able to upgrade/reboot my A/B router VMs without losing routing, and to keep all of this running for under ~70-80W 24/7.
It's definitely a learning experience for someone who hasn't touched much of this before but I'm enjoying it. I haven't tested single thread openvpn performance but I imagine it's totally serviceable for phoning home and if you fired up 2-4 docker openvpn docker containers and used pfSense to form a gateway group I imagine you'd get at least 500Mbps throughput over the vpn, if not more. You could use openvpn from within the pfSense VM but I have a suspicion that running it natively on the linux hypervisor with more recent software will give better throughput.
If you're interested check out WANg's thread on the T730 here:
https://forums.servethehome.com/ind...ient-as-an-hp-microserver-gen7-upgrade.20454/
I don't know if we have a similar discussion thread for the DFI machine (it's basically a desktop mITX clone of the thin client) but the deal thread with other discussion for that machine is here:
https://forums.servethehome.com/ind...-pc-barebones-no-ram-99-110-bo-shipped.22009/
