By default , the asus router has a feature that allows VPN passthrough,
View attachment 18069
with that being said, I would recommend using the RT-AC3100 for the VPN, and the AC68U as main router.
You would place them both in router mode, On the first router you would give the 2nd router (VPN router) a Static IP on your network using manual assignment.
View attachment 18070
Let us call the primary router 192.168.1.1 for simplicity. (you would connect lan port on router 1 to wan port on router 2)
The second router can be given the IP of 192.168.1.2 on your static manual assignment. This will show up as the WAN IP on the second router as well.. The second router will then be given it's own built in IP's from a pool of IP's let us call this 192.168.2.1. The only down side to this is that all devices on 192.168.2.1 will be able to communicate to 192.168.1.1, but none of the devices on 192.168.1.1 will be able to talk to devices on 192.168.2.1.
you can resolve this issue with static route on router 1
View attachment 18071
now you can ping devices on router 2.
You can then setup VPN on router 2
View attachment 18072
Note: you may have to take additional steps to setup the VPN the way you want as well there may be additional requirements you want to do to configure router settings on both routers to your preferred liking.
This is just the basic's on the bare minimum to do it. Note some router features that may have issues created in this double Nat setup- and may require special configuring on your part, fortunately you are at a Great forum for asking for help and using the search engine.
cheers!
Updated: you could also simply just run VPN off of the main router and skip the double Nat situation and run the second router only as an access point.. there are
benefits to both methods, but only the top method has any cons that you need work arounds for.