The VPN I currently use is Softether (https://www.softether.org/). I have it running on a hardened Linux box which acts as my border firewall but it will run under pretty much any OS. It is a VPN that operates at the ethernet frame (data-link) layer. It allows you to connect a remote computer to your internal network via the insecure Internet. I have one hardened machine that runs the VPN server and I can then connect through that to the target machine using any protocol that the rules permit (RDP for instance). The observatory PCs are completely isolated from the Internet. I don’t generally allow my observatory or meteor camera PCs to do updates but, as long as I keep my internal network clean, that shouldn’t be a problem.