VPN Router integration & Bonding License for Peplink Balance One

My current setup is this. Peplink Balance One connected to a 48 port Unify Managed POE switch. I have 4 Ubiquity Access Points, 2 are the AC version and 2 are the HD version. My modems consist of 2 300/20 Mbps modems with Charter Spectrum. I have an R7000 w/ Tomato currently not in use. I plan on purchasing the R9000 AD7200 Netgear Nighthawk and installing DD-WRT so I can use a VPN such as Express or PIA.

First question. If I wanted to encrypt ALL traffic under the VPN would I plug in the Netgear AD7200 into the LAN port of the Peplink Balance One? Would I need to change settings to make the Peplink setup in drop mode? Or would I plug the AD7200 into the LAN port of my managed switch? Is there a pro or con to either method?

I don’t know how the configuration needs to be on the VPN router. Not sure if the VPN can work when the router is setup as an access point or if I have to cascade the router so that IP addresses are assigned. I am noob when it comes to networking and computers.

Second question is in regards to Bandwidth bonding. I want to obtain a super fast connection such as 600/40 since I have 2 300/20 modems. Previously both modems were set to 100/5 and on speed test i usually received 230/10. But now when I run speed test i usually never receive anything above 300 Mbps. However, the upload is usually hitting 40’s? Is there a way that I can obtain a license and would this create a true bandwidth bonding where I would achieve the crazy speeds of 600 Mbps download which is maximum throughout? I hate to plunk down $900 based on the misunderstanding that bonding only works with the VPN tunnel and when you have another Peplink router.

Thank you in advance for your insight, suggestions and patience.