My understanding is that I can leave the configuration of my Airport routers intact but note the IP (it's currently the default 10.0.1.1) for use on the new VPN router - is this correct?
It is NOT the best setup.. this is called double NAT and your Airport will throw up an error.. which you can ignore but it can cause issues with interactive games or other more direct internet access. For normal browsing or collecting emails etc it works fine mostly.
If you do use this method the VPN router must work on a different IP range to the Airport. Typically it will be 192.168.x.x which is fine.
It looks as thought the way to accomplish this is by plugging the new VPN router into the modem and the use an ethernet cable and connect my AirPort Extreme to the VPN router, give that 'network' a separate name and then depending on my use at any time either select the VPN network or my local wireless network (but use the same password for both) -is this correct?
Again NO unless the Netgear you have chosen is very high end model that can do split tunnelling (policy routing). Most routers you will buy do not come equipped with suitable VPN functionality.
It is easy to understand. Once the Netgear which is your primary router in the setup you suggest, establishes the tunnel all traffic is pushed through the tunnel. That will include any traffic that is via the Airports or the Netgear directly.
One important question.
that can use the VPN-Router for external accesss to sites and security,
Are you actually needing to push all your internet traffic through the VPN tunnel? I am a bit unsure here of the exact intent with this setup. If you want all internet traffic going out the vpn some of the info below is not relevant and you do not need any change over between routers at all.. just the netgear vpn running will still allow all clients in local network to work without needing any other complications.
Correct setup.. at least one method.
In fact the way to set this up is the other way around. You plug the Netgear behind the Apple main router and configure it to establish the tunnel which remember is permanent. All devices that you want connected to the tunnel should connect to the Netgear.. and any devices that will use the internet directly go via the Airports. This will generally work OK but it can be tricky to setup.. basically trial and error. Also devices connected to apple router cannot talk to the devices setup to work through the vpn.. which I suspect will mess up your plans no end.
Any time you start doing this sort of network .. it really requires some expertise.
NB.. not fun but Apple routers are known to not handle some VPN setups. It is truly trial and error.
If you have already purchased the Netgear what model is it?
If not please DO NOT buy Netgear. It would be better to use a router with ability to split tunnel.
Can you also tell us which VPN service you wish to sign up to.. and what sort of bandwidth you are expecting to push through the VPN. Each service has their own unique ways to do things and often a list of routers that work well with their particular service. Many have special firmware for a small selection of routers which enable VPN and work particularly well. Express VPN would be a good example.
Let me strongly suggest if you have never done this... you use the month trial period for whatever VPN you join to test how well it works by using the simple vpn clients in your computer or TV etc. It is not necessary to use a vpn router at all.. many client devices have built in vpn client software and you can do actual tests of the service before you commit to a major network change. This will also help determine if you follow the solution above that the Apple router is actually capable of passing VPN through it.
I would also consider what happens when the current apple routers die.. since Apple is no longer making routers the time to change over is when you are making this big change.. it will not affect your ability to run a local network.. any router can do that.. the trick is to buy something that can manage policy routing.. i.e. packets from your TV go through the VPN service but email from your computer goes direct.
Is there any step-by-step guide to establish such a network?
No.. because you are so specific.
The VPN companies do have lots of info on their sites.. (at least the major players do) but they will not include mixing up the network in the way you envisage.
