How to setup a prover VPN network for home?

Hello! I need some guidance on how to properly setup my home network. I looked through topics on this forum and tried to google but didn’t find any good guide on this.
My current home setup.

  1. ISP provides a connection via coax
  2. Modem converts coax to ethernet
  3. Surf Soho MK3 connect to modem (WAN)
  4. Home devices connected to Surf Soho via ethernet/wifi. I have non managed switch and extra access point (which has the same wifi name as router wifi).

In addition, I have a server in AWS. On this machine I’m running Open VPN server (without docker). I connected Surf Soho to this VPN. I also connected multiple mobile devices to the same VPN server. Connection works and my traffic from devices inside home network and from mobile phones go through this VPN server.

Now I have a few things I want to achieve/check/improve.

  1. The main one. I want to be able to reach some home devices (computers, servers, printer) from mobile phones (on LTE). Right now it looks like they are indifferent subnets. Mobile phones have that same subnet as router VPN WAN. But all home devices live in their subnet. I don’t have a good direction or understanding of how to achieve this.
  2. I need to ensure this scheme is secure. I understand there is nothing 100% secure but I want to ensure I’m not making some basic mistakes with VPN server which will lead to exposting my internal network to the whole world.
  3. Route traffic from some devices (or maybe for some protocols) through VPN and from some through regular WAN. For example I don’t care about TV going to Netflix without VPN. Another example is to route HTTP via VPN and HTTPS via WAN. This one is more or less clear for me. I can use outbound policy and filter by source.
  4. Force all devices to use DNS server (pihole) installed on my AWS machine.
  5. I have separate guest wifi set to a separate VLAN which is used by my guest. That one should gust gives clients a connection to the internet and nothing else (no VPN, no access to devices). I think I should be able to use the Outbound policy here.

Did someone have similar setup? Or maybe know how to do one of points I mentioned.

I would also appreciate links or terms for googling with education materials. The problem here is that I have a very basic knowledge on networking.

Thank you!

The OpenVPN client is very new to Peplink so not many people here have a lot of experience with it. As for point 1, I would think that could be solved by the router being the VPN server, rather than client. As for point 3, the official term for this is split tunneling. I don’t know if the Peplink OpenVPN client supports it.

Taking a step back, are you sure you want a VPN client on your only router? A case can be made for running the VPN client on a second router and not on the main one.

Hello Michael,

Thanks for info.

Taking a step back, are you sure you want a VPN client on your only router? A case can be made for running the VPN client on a second router and not on the main one.

Yes, I want to hide multiple devices behind it to hide my traffic from ISP. Especially, non encrypted.
And this exact part works very well with SOHO.
Plus, I want to connect mobile devices to the same VPN through internet but my ISP doesn’t give me real IP (and I don’t really want it).

After more thinking I realized that I only need to join two networks: one under VPN (where router is one of the clients) and one behind router.