Wireless Repeater (non bridge) mode with VPN and Subnet capabilities?

Looking for help on how to wirelessly connect two routers similar to repeater bridge mode, but maintaining features like VPN and subnet on secondary router. So maybe this is called just a repeater? In Asus-Merlin seem to only have Repeater mode, which seems like is actually Repeater Bridge mode.

Primary router1 is TPLink AC4000
Secondary router2 is ASUS-Merlin 386.3_2 (ASUS RT86U).

I am trying to setup router2 as a secondary router wirelessly connected to the primary router1, but still operating in normal mode--in other words secondary router2 creates it's own subnet and can use VPN etc. The goal is to have some devices only connect to the secondary router and use its VPN, and the routers are connected wirelessly.

When I use a wired connection between routers everything is fine, secondary router has its own subnet and can use VPN, the operation mode is set to "Wireless router mode (default)", and I can turn off the Wireless radio so basically have all wired connections like this:

Primary Router1-->=====wired======-->Router2 (non-bridge)---> ==== LAN Cable to clients

Want to replace the wired connection between routers 1 and 2 with a wireless connection like this:

Primary Router1-->)))-----wireless-----(((-->Router2 (non-bridge)---> ==== LAN Cable to clients

The problem is when switch secondary router 2 to "Repeater" mode, lose all capability to VPN and have separate subnet. Is there a modified repeater mode that can use to just replace the wired connection from router2 WAN to router 1?

I have done this with several dd-wrt routers, simply put into Repeater mode and do not create a wireless virtual access point. In dd-wrt have option for Repeater or Repeater Bridge mode. In Merlin it seems like only have the Repeater Bridge mode?

On Asus-Merlin Repeater mode:

1) Is there anyway to utilize VPN in repeater Mode?
When switch to repeater mode, lose all VPN capability--not even an option. OpenVPN works fine on dd-wrt routers in repeater (non-bridge) mode and with or without wireless subnet Virtual Access Point (VAP) interface. If not possible with current Merlin release how would I recommend this to developer?

2) Repeater Mode, can turn Wireless broadcast off?
Looking for routers to be connected wirelessly, but then direct cable connection behind repeater from LAN side and turn wireless broadcast off, so wireless is only used for connection to primary router, is this possible? I think this is just repeater (non-bridge) mode but this is the setup looking for:

Primary Router1-->)))-----wireless-----(((-->Repeater (non-bridge) Router2---> ==== LAN Cable to clients

As always thank you so much to the forum!


