Or just buy a Mikrotik device, something like a HAP lite[0] can be had for much less than a Raspberry Pi + SDcard nowadays. With RouterOS 7 it supports Wireguard and Zerotier out of the box, and you can still even setup OpenVPN or L2TP/IPsec if that's your thing. With any luck you can even replace your ISP router completely and have much better control over your firewall and home network settings.
I'm just waiting for container/Docker support to be rolled out again so I can delegate some other tasks that currently run on Raspi's (like MQTT, metrics buffering, IoT, etc).
It appears that the HAP Lite uses a MIPS-based architecture, how quickly do VPNs run on it? When I was working on routers about a decade ago that was a major pain point, it would essentially limit OpenVPN connections to about 6 or 7mbps with a maxed out CPU running at a similar clock speed.
Zerotier maxes out based on the model since it's single core. On a ac3 around 20Mbps is the cap. With wireguard I max out at 300Mbps. I can't test openvpn since mikrotik doesn't support tls auth. IPsec was always my given linespeed.
Beware that you need fasttrack exclusion rules (via connection mark e.g.) for each vpn interface except zerotier.
I'm just waiting for container/Docker support to be rolled out again so I can delegate some other tasks that currently run on Raspi's (like MQTT, metrics buffering, IoT, etc).
[0] https://mikrotik.com/product/RB941-2nD