Iirc some ISPs need to keep your IP for a specific time.
In some countries it is required by law.
I’ve worked with Edgerouter (ubiquiti products) before and they are actually quite capable out of the box. You could run OpenVPN (or even Wireguard) on it… but the dual core CPU sucks and probably doesn’t even have accelerated AES instructions (to speed up encryption/decryption.)
One option would be offloading the encryption (https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading) but that involves a lot of manual setup, you would need familiarity with Linux CLI.
You can absolutely use a second router for the VPN… I used to do this. I used an old Netgear router (I flashed it with DD-WRT) and had the Netgear router connect via WiFi to my home DSL router downstairs. This boosted my WiFi (2.4GHz “G” at the time) connection upstairs (as I connected my devices to the Netgear’s WiFi, which was connected to the DSL via WiFi.) I also setup a VPN on that Netgear router and I never had any issues (although I had to manually assign route IPs.) This was well over 5 years ago though. My point is, it should work without issue.
I’ve a OPNsense firewall. It builds the VPN tunnel to my provider but doesn’t pull routes.
In addition my open wifi is mapped to a specific vlan. My OPNsense is the default gateway for all clients in there. Internet facing traffic is routed (source/policy based routing) into the VPN tunnel. The nice thing: Towards the clients the whole VPN routing thingy is transparent. And because of this setup there can’t be any leaks.