Can someone take a look at my Notional Diagram...

well, I have been trying to read on openvpn Merlin (server), dedicated VPN Server routers, VPN for noobs, even called Asus (heck I got 3 different answers: can't be done, not supported, and can be done but not supported by their help desk)

I am either overcomplicating this, Have the right idea, or just confused as all hell. I am trying to learn about networking as best I can, and I am still learning...so sorry for the crude diagram. But thought it would help paint the picture. If I need to clarify, by all means please ask!!!!!!!!

basically I have 2 rooms.
Room 1: Blue Iris Dell, Apple computer, Arris Cable Modem, 2 wall ports, and 8 port Switch
Room 2: 2 wall ports, POE, Patch Bay, 2 Asus Routers RT-AC86U

I am trying to use on Asus router #1 as a NON OPENVPN wireless router that gets DHCP from Comcast and access to the web for inside home device like Tablet, phone, non VPN WAN.

Comment I want wife to be able to access Netflix, amazon etc etc (this might be a untrue concern I have by setting up a OPENVPN server), the reason I was thinking 2 routers. I don't want to piss money away, but thought a 2nd router was needed.

On Asus Router #2 I am trying to set it up as an openvpn server on a separate subnet for the cameras. that I would like to access via the house (by fire stick on tv's, tablets, and the Blue iris Dell computer).
I would also like to access the cameras outside the house and Remote Desktop into the dell computer (I did purchase the Blueiris IOS application for iPhone and iPad).

Red Lines on diagram (openvpn different subnet then black lines)
Black Lines on diagram (non openvpn, default DHCP from comcast)

Questions:
1) To view cameras externally outside y home I Believe I need either a static IP address from comcast, ASSUS DDNS, Or ????
2) Is my wiring correct in the network diagram to achieve my intended goal?
3) Could I get away with one router, or is 2 needed.
4) what ASUS configurations would I need to achieve this goal on 1 or 2 routers...

Thanks..any help appreciated...

If you run a VPN server on your router, that router needs to be exposed to the internet. The simplest option is for this to be the internet facing router, otherwise you'd have to forward ports to it or set up a dmz.

Only 1 link (cable) between switches or you'll have problems. You aren't running equipment that can handle spanning tree. Yes you are over-complicating this.

If you really want there are options involving multiple routers, fancier routers, and managed switches. You can even put multiple NICs your blue iris pc to isolate the cameras. I'm kind of confused as to what you think you'd gain from the setup in your diagram which I would not attempt.

I was trying to cascade the routers.I wanted the first router to be the general wifi and guest wifi. And the 2nd router to handle the VPN serve (including LAN AND WIRELESS ) for the cameras and pass through the 1st router...
I would assume it would be similar to a subnet approach....

Thank about the 1 link cable between switches...
Yea... I ended up on the first router, leaving as is
2nd router i used google DNS 8.8.8.8
And it worked...but not sure there are any advantages or extra security I am doing...

Still learning...

Yea..i am thinking I did over complicate this, so will just dive back to 1 router...


BTW , just playing around.since i had access to another 86u router...its how i learn..or don’t

most wifi routers can run multiple ssid's and you can choose to isolate the guest network from the rest of your network easily.

I'm not an expert by any means but it looks to me like you will have lots of problems, such as with the 8 port switch which has two cables connected to the LAN ports of the first router. I believe this will result in a broadcast storm flooding your LAN unless they are isolated. As Tangent said, just one cable between switches.

I assume you feel this two router approach gives you greater protection against attack from the outside.... well the reality is that pretty much all systems that are Internet facing are, ultimately, only as strong as the credentials protecting access. One router or two, if you use the same credentials for both then once one (ie the Internet facing router) is compromised then the second router is as well and all bets are off.

Unless you are a pro at making complex networks work I'd suggest, as Tangent did, that you use one router and simply be sure you are using strong credentials. Hell if you are really concerned you can use a router that supports 802.1x authentication and use certificates and eliminate passwords altogether.

Advice taken, and thanks folks,,,
Yea, i just heard some buzzwords, and thought i would try to see where it would take me and what i could learn.
I will keep the one router and use openvpn with 256 encryption and work on learning some basics first...
So, definitely crawling is the way to go...like the idea of certificates..might look into that as well....

THanks