VPN Setup - Client and Host

Not sure you can have the same public facing IP on both routers but you can certainly get a VPN between two sites.

I prefer to use OpenVPN running on a server or individual PC and punch holes through the firewalls on the routers rather than use IPSec or other VPN facilities on routers directly as I've found the latter unreliable over mobile / 3G connections and suchlike and I think home class routers often aren't up to the job in terms of CPU/memory etc. I've used this to allow myself to VPN back home from all over the place.

I've always gone with static routing, so basically, set up a host in wherever that communicates via the VPN tunnel to a host in the UK (that's one subnet), configure both hosts to route traffic between the VPN subnet and their local LAN subnets and then set up suitable static routes on the routers at both ends to tell them the local VPN host is a gateway to the LAN subnet at the other end of the pipe. You can also run the Open VPN client on a host PC and connect directly to the VPN in the case that you only need a single client, it's almost the same setup but the routing is a bit simpler.

You can of course set up a direct router-router IPSec or SSL tunnel between two sites but as I say home class routers seem to struggle a bit with this so you might have to spend a bit of cash to get a reliable solution.

I'm not adverse to spending money on a business class setup if needed, I know I can do host to client on each machine but I was looking for something a bit more hardcore, ideally I don't want anyone to know the "other" office is out side the UK no matter what device is attached to it

You need to have a look at routers that will do a reliable site to site VPN then. I don't know about the Asustek ones, thay might be fine but I found various netgears and linksys I tried just didn't handle the site to site IPSec VPN well at all. Draytek ones seem to have a good rep but I've not actually tried them myself. As I say gave up on IPSec and went with OpenVPN (which is free) running on a couple of PCs and it was rock solid. Client co use it as well, though I'm not sure that's much of an endorsement

If you want useful Cisco or similar kit you're looking at quite an outlay, so I'd probably avoid that. I did get a couple of cheap second hand ciscos working in a lab setup but they were old ones that would only support 8mb DSL cards and no wireless, and they are relatively complex to set up (and I say that having some previous IOS configuration experience).

The Cisco RV220W sounds like it does very thing needed and that's only £150 if I bridge the router given to my by my Spanish IP and use the Cisco for PPPoE

It may well do. I have one of their small business switches and it's excellent for the money. I'd check the reviews though as I know some of their older small business stuff was rebranded linksys after the buyout and it had issues like the config pages only working with IE6. I expect they have ironed those sort of problems out now though.

I was looking at it a few years ago now to be fair, so the options were quite limited, My lab setup was with a couple of 2650XM or similar I got off ebay when I went through a "cisco lab" phase and I'd have needed a couple of 1800 or 8xx if I wanted wireless and ADSL2+ which would have set me back the best part of a grand at the time (would be worth **** all now probably)

Problem is not sure of the setup of the Spanish ISP (might be a microwave link rather than DSL) so not sure what I can use as oner rather than sit behind another router as a bridge

Some places use different DSL flavours as well i.e. VDSL rather than ADSL and so on. The ideal is to have a separate modem that presents you with an Ethernet connection IMO.

Having said that you should be able to plug a router with an ethernet WAN port into a LAN port on an existing router and use it as "just a modem". You might need to faff about with the port forwarding / DMZ on the first router to get everything working though. And switch all the NAT, firewall off etc as well.

Most routers require the public facing IP to be used which is why if it's behind another router that needs to be bridged

Yes so easiest way to do that (IMO) with a router with an ethernet WAN port is to plug the WAN port on the second router into a LAN port on the first one and have it pick up an IP address from the first one, then set up forwarding on the first one so that all traffic to the WAN IP on the first router is forwarded to that LAN address, effectively just passing everything through the first router as if it's "just a modem" albeit with NAT as well. That way all outgoing traffic appears to come from the WAN IP and you can let the second router handle the NAT & firewall duties etc for your actual devices and it should be able to tunnel out for VPN as well.

The best bet is to replace the old router with a new one ideally though.