I wasn't sure if I should post this in EdgeMax or UniFi Sub Forums... Mods feel free to move accordingly.
A friend of mine is in need of a specific, somewhat odd configuration. Posting here for him, but he may jump in later and clarify any points. He'll be nice.. 
He needs a solution that follows this path:
Cable modem ----> Router ----> Access Point... the Access point must have multiple SSIDs. One of them is the one his devices, and guest devices will use. The other one is on a different subnet and/or VLAN group and provides devices connected to it a connection to a VPN. (OpenVPN) He's quite privacy/security minded and wants to be able to flip between a network that is encrypted but not on VPN, to one that is encrypted and on VPN, at will. The SSID providing a connection to the VPN needs to issue it's own IP addresses.
I have a ERL and UniFi APs. I know you can make multiple SSIDs with their own VLANs and have one act as a DHCP server.
What we aren't sure of is, will the UniFi Security Appliance OR the EdgeRouters run an outbound VPN, and can I assign the VPN SSID to be used only on that VPN connection? I see there's a thread here on OpenVPN on a EdgeRouter, but it's the assignment of that one SSID to only run over the VPN that's the question.
Anyone have any thoughts?
