Ok, there is one server - Imagine a room with 4 computers in, well basically, that's it (3 clients). We also have to connect it to the WAN for internet access, and we need to set up a remote access.
In that case any hardware firewall would do the job. Any software firewall would do it too, running on the 'server' machine with two interface cards; one for the connection to the WAN and one for the internal network's switch. You can (using NAT) assign each of client machines and the internal interface of the server a private address (192.168.X.X) and the WAN interface whatever address is given to you by the upstream connectivity provider. This way you'll have some level of protection from the outside world even without a firewall since nobody will be able to initiate connections to any of the client machines.
If you use NAT then you'll tell your firewall which of your internal machines to forward VPN requests to, which presumably will be the server machine.
There are dozens of ways to do this really; the choice of what is best depends on your precise needs, your inclination towards different types of hardware, whether you've already been assigned certain equipment and/or a budget and so on.