How to set up an extensible VPN with VirtualBox VMs as nodes

[ST]

Hello,

We have not so tech-savvy colleagues in different locations around the
world who now use Windows 10 and need access to Linux (Debian 9). Linux
will be provided in form of VirtualBox VMs. We, the technical support
team, need to have access to the guest VMs (via SSH and occasionally as
remote desktop)  and to the host (through the guest while VM runs in
bridged mode; via Windows 10 built in SSH Server).

What is the best approach to create such an infrastructure in a
flexible, secure and efficient way, so that:

(A) adding/removing an employee requires minimal effort,  
(B) adding/removing a tech-support team member requires minimal effort.

While we don't have experience with VPNs we assume that it's better to
invest in setting up a VPN (with VMs as its nodes) once rather than
enable port forwarding on all possible router models in order to get
access to the VMs.

1. What open-source VPN software would you recommend for such a case? We
are considering [Tinc](https://www.tinc-vpn.org) as it seems to be
rather flexible and provides an easy way to add new nodes thus helping
us to achieve the above mentioned goal A.

2. If yes, in which mode should we run Tinc -
[bridge](https://www.tinc-vpn.org/examples/bridging/) or [proxy
ARP](https://www.tinc-vpn.org/examples/proxy-arp/)?

3. How should we manage authentication of the tech support team in order
to achieve the goal B? Asymmetric keys? One pair for all or a pair for
each member? Maybe passwords?

4. In order to get an easy (to remember) access to the host from the
guest via built in SSH Server on all machines we probably need to give
all hosts the same IP in the Network bridge mode. Are there other
important configuration tricks for host and/or the VM appliance that you
can think of?

Thank you!