Pfsense has an openvpn server and client built in. Also if you are using site-to-site ipsec vpns it can be useful. I think it will also use the extensions if you run a web proxy to inspect tls traffic. If you just use it for a nat gateway, then you don’t need aes-ni or even most of the features Pfsense provides.
/usr/lib or /usr/lib64 or /lib (some distros) or /lib64
Some things (like hosts file) are in /etc. /etc mostly contains configs.