Turris Omnia is supposedly one of these routers. I have their old model from a few years back, and it's been serving quite well for all my needs. The OS is their custom version of OpenWRT, and you can do stuff like LXC, Wireguard and all that quite easily.
The only problem is the ARMv7 hardware, which doesn't really cut it with modern Internet speeds anymore, especially with Wireguard.
That said, I can't wait for pfSense and opnSense finally support Wireguard. And pihole should finally get a FreeBSD version. I'd much more prefer the sense systems over the wrt, but the time is not yet here.
I think the big motivation for the Omnia is the Turris project, not open source per se. Security threat analysis and automatic updates from the nonprofit organization that runs the Czech DNS registrar. LXC, Wireguard, and the customization options from the mini-PCIe slots are a bit of a bonus.
The Omnia doesn’t have great OpenWRT upstream support, and the wireless performance sucks. 2GB of RAM seems enormous for a router, but when I put a medium-size number of clients on it (100-ish), its security monitoring features overran the memory and oom-killed essential services. Fortunately, that can be turned off.
And the Turris project seems to be retreating from modern Internet speeds. The Omnia can’t keep up with 1Gb full-duplex fiber, but they’ve moved onto their next product: The MOX/Shield is even slower. (1.6 GHz CPU vs 1.0 GHz CPU)
I have recently (one week ago) found out that MOX can easily route (and maybe even NAT) 2.5gbps with just about 50% of CPU usage, via the XDP framework. Unfortunately it is not easy to get XDP to endusers.
For me the interesting part on MOX is modularity. You can have 24 switched ethernet ports, which is interesting for network admins at least.
…So it can route 2.5 Gbps, by cutting out Linux’s entire networking stack and rebuilding the minimum necessary in eBPF. Not slowed down by NAT or TC yet.
How do you do the I/O? As I understand the MOX, it has one SGMII interface for the built-in 1G Ethernet port, SDIO and PCIe for the WiFi interfaces, and a single 2.5 Gbps SGMII interface to the rest of the Ethernet ports. To get 24 ports, you connect 8-port modules together via their 2.5 Gbps SGMII interfaces.
Seems like the I/O should be enough for 1 Gbps full-duplex, which is enough for a home router with a gigabit Internet connection, but it can’t do 2 Gbps full-duplex.
Not when running Wireguard client in it. Without I get 1 Gbps, but when having Wireguard on, we peak at 300 Mbps, loads between 3 to 5 and the CPU temperature goes above 100 degrees.
I put the system now to a spot where it kind of has lots of air around, so the temps peak only around 95 degrees now, but the loads are still crazy.
The only problem is the ARMv7 hardware, which doesn't really cut it with modern Internet speeds anymore, especially with Wireguard.
That said, I can't wait for pfSense and opnSense finally support Wireguard. And pihole should finally get a FreeBSD version. I'd much more prefer the sense systems over the wrt, but the time is not yet here.