For those of us who know just enough networking to be dangerous (I understand basic TCP/IP addressing, setting up a home network, NAT, etc).. Is this mostly just to allow all traffic from your home machines to be hitting the 'net from ovpn.sonic.net, rather than someIP@att.net, and to be routed through sonic's pipes, instead of at&t's pipes to the next peering partner? I get the privacy features - your real IP is hidden.
Yes, but additionally, your traffic is encrypted over ATT's network (the main motivator for this). So as soon as your net traffic leaves your computer, it's encrypted meaning ATT et al cannot see it. Once it hits Sonic's VPN the traffic is decrypted and routed where it needs to go (note HTTPS traffic would still be encrypted between the VPN endpoint and the destination - we couldn't decrypt the contents since the SSL/TLS handshake took place between your computer and the remote server).
I have torguard BT proxy + VPN service and have used it at times to make it appear an individual machine is originating elsewhere (for location-based reasons). I am guessing this is similar, except you don't get to pick your exit node (it's always sonic.net in CA), but it's free with sonic service. Does the Pace modem support this, or do I need a custom router? Can this work together with torguard's bittorrent proxy?
Right, you don't get any choice of where your traffic appears to come from. The goal is more privacy than being able to appear to come from a particular region or location. Pace modems don't have OpenVPN built in, you can either run the software on your computer, or buy a router that does support it and bridge the modem to your router. Note: I have FTTN x2 and it was pretty easy to bridge the connection. Running the software on a computer only encrypts traffic for that machine, running it on a router can force it for everything.
Does it allow for a reverse-connection? That is, can I ssh to ovpn.sonic.net (or similar) with my sonic userid/password and have it connect back to my modem, which is set up to forward port 21 back to my main linux desktop (hosts.allow/hosts.deny configured to only allow connections from a few domains - I would add sonic.net)? That's the main thing I'd like to add to my setup. I'm pretty sure torguard vpn can do that, but then I need to have some kind of dyn-dns service, whereas with sonic, wouldn't they know my "current" ip and can just forward it there?
Yes. You wouldn't ssh to ovpn.sonic.net but to the IP your VPN client gets assigned. For this reason, if you connect to the VPN using software on your PC, you should make sure your firewall rules are sufficient. Connecting from your computer opens you up to the internet just like plugging your PC directly into a modem and getting a WAN IP on your PC. If your router handles the connection, you're still firewalled and would need to set up port forwards to allow traffic from the VPN through to a service.
Hope that helps, let me know if you have any further questions.