Our remote office will be moving to a new space where internet will be provided. They'll be behind a router doing NAT (I do not have admin rights to this router). They will be sharing a printer with the other people on the LAN, but will need VPN to our network for email and file shares.
I was thinking of just having them run the windows VPN client and connecting via PPTP like they do when they are off-site, but I have read that multiple PPTP connections from the same NAT'd address to the same destination doesn't work well or at all.
I am thinking some kind of site-to-site VPN is needed so there is just one tunnel. Can I just put in a VPN gateway, set it to connect to our RRAS/PPTP server, and have them use it as their default gateway? Perhaps even use the local default gateway for internet traffic. If so, what VPN gateway/device is recommended for this?
Or other solutions? Thanks.
Is there any chance of them being able to setup a VLAN for your office? Since they only need very minor inter-VLAN routing (VLAN 1 being your remote office's network, VLAN 2 being the other office you're sharing with), a router-on-a-stick VLAN configuration would work well (it's only when you're heavily routing between VLANs that you'd want a real Layer 3 core router(s) doing the routing).
By having two isolated VLANs with a router-on-a-stick topology, you can setup firewall rules between the two organizations however you see fit: both can even run their own DHCP servers, and both can (and should) be on separate subnets. With that in place, you can create a site-to-site VPN tunnel from the edge itself as the endpoint and put in the proper firewall rules to only permit your organization's VLAN from accessing it.
If you can't do that, there's no reason why you couldn't do double-NAT -- just put your two remote machines behind a decent firewall router that can do IPSec/OpenVPN client-to-site VPNs (pfSense on an ALIX would work great*; see netgate.com) so that your "WAN" side of the firewall gets a LAN IP from the shared network, and thus can route any connections outbound (via the "first NAT") for printers, etc. Internet access gets double-NATed. With only two machines the performance should be acceptable but obviously test it first. This will isolate/protect your workstations from their network just like a firewall/router does in a normal WAN scenario (although does nothing to protect their workstations from yours in case of a virus outbreak, tampering, etc.).
*With pfSense, it can function as an OpenVPN client, which means you don't have to do any port forwarding from the edge router to your router. If you simply must stick with PPTP, another firewall I've used that features a built-in PPTP client is the SnapGear SG560 (http://www.snapgear.com/index.cfm?skey=1557) although since being bought by MacAfee, I think it's called something else.