Speed, in terms of bandwidth and latency. I consistently get slower speeds using a VPN. Granted, I'm using Google Fiber so I have symmetric gigabit, but there is a downside to it, depending on your use case.
I'm in the same boat as well. I'm not in the US but I do have symmetric gigabit as well. I've been using EC2/DO boxes to setup VPNs for me, but they hardly ever come close to my home speed.
This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.
You're also only guaranteed gigabit speeds on the higher tier instances. I'd be interested in what you get using iperf3 between EC2 and your home connection.
Tried them out yesterday and they give about 10% of my Internet speed on any server. So my 400 Mpbs connection slowed down to 40 Mbps, which is a pretty rough drop. And I haven't been able to find an OpenVPN connection that could handle more than that 40 Mbps.
PIA is cool because it works seemlessly with your phone as well. It used to be you had to have some special access to get it to work with a provider like Verizon, but it works flawlessly now.
It's a legitimate point to consider. I've set up my home router with Tomato by Shibby, which allows routing all traffic over a VPN link. I was finding the router couldn't keep up with a 50 Mbps link. Granted, these routers aren't designed with that use case in mind. But, running a VPN link all the time on mobile devices kills battery very quickly, so setting up the link on the router is preferable. Consequently, I don't route all traffic over the VPN, which is suboptimal.
I put a 2nd router behind my regular router and switch the gateway, on devices I want to use the VPN, to this 2nd router.
Benefits:
1. allow devices to use non-vpn friendly sites
2. Keeps everyone on the same subnet so the VPN is not in the way for local file transfers.
3. main router not overburdened by VPN software
Tomato allows selective routing, both by destination and by device, so that's helpful. Your setup definitely avoids some of the overhead mine has. But, really, I'd just like the little ARM processor in my R7000 to be able to keep up so I can saturate my link. I'm not familiar with ARM's ISA all that much, but it seems an AES-NI equivalent would be really nice to have.
This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.