I've never set up a VPN from scratch before and I'm wondering how I should go about it. Anyone have experience with this sort of thing?

Here's the scenario:

- Office LAN at a small real estate office.

- Office is connected to the internet via DSL router that has a built-in NAT/Firewall.

- Router does not have VPN built in to the hardware. It does allow me to put in port forwarding (I think that's what they call "pinholes" in the router's menu).

- Office runs all Windows systems.

- Office has a server that's running Windows 2003 Server.

- A select few people, all NATed broadband at home, need to get into the office LAN remotely, in order to run a certain piece of client/server software and also for me to get in and remotely manage the server.


I see a few ways I can go about this:

1. I can make the server a DMZ. **NOT**. Windows is too unsecure to expose out from behind a firewall like that.

2. I can port-forward the VPN requests through the router to the 2003 server, and activate/configure RRAS on that server.

3. I can replace the office router with one that has VPN built-in.


Never having done this before, my questions are...

If I do option 2, is it only one port that needs to get forwarded, and do I only need to do that on the office's router? Or do I need to do tricky stuff on the client side too?

If I do option 3, will the clients need hardware too, or can they just use the VPN client software that comes with windows?

Anyone have any other tips?