basically where what networks/subnets is not so important. because if you do it right it doesn't matter.
I would do this for example:
office1
10.1.2.0/vlan2 - management - switches, switches
10.1.3.0/vlan3 - servers
10.1.4.0/vlan4 - office stations/printers
10.1.5.0/vlan5 - internal wifi
10.1.6.0/vlan6 - vpn clients to the office from home
10.1.7.0/vlan7 - vnp grids to other offices
10.1.8.0/vlan8 - open wifi
10.1.9+.0/vlan9+ the rest - all sorts of clusters, test labs and other rubbish.
by analogy, the rest of the offices,
only for office2 -
10.2.x.x and 10.3.x.x,
well, in 10.1.7.0 I kicked out routing between offices so that there were
.1 - the router of the first office, .2 of the second, .3 of the third,
but clients don't care at all - they have a default route to the gateway, and he already drives the traffic between offices to the right place

Set up a category B network. Gateway must be set up on a computer with an Internet connection and a virtual network. on this computer, install the gateway to the virtual network. all unknown addresses will be directed to the gateway, i.e. vpn.
but it's actually better to organize a bridge. when the throughput is higher.

Umm. Let's start simple. If 1c is lying around in the file base and has a decent size ... then 2 occurs!! Problems.
1. You need a good vpn server. So that he was able to push through encrypting such a volume and quickly. Here you need to look towards the aces from the tsiska,
2. For this you need a stable line with a wide channel. Not adsl.

@nagatofm
Why do you need your own terminal and sql server in each office? If for 1s, then it’s not easier to start everything on one and hook users through the terminal to it. As a result, vpn will not clog so much.