VPN

How to set up VPN access to a server with Win Server 2012 on the local network?

Hello dear reader!

Background:
There is an enterprise network for ~ 20 computers and two servers. At the entrance is a TP-LINK TL-R480T + router, then a D-Link DES-1210-28P / C1A switch, on which, in fact, the network is organized. This network is configured with VPN access, the VPN server is a regular Linux PC. The boss and the accountant use the configured VPN access, the functionality is the same for them. The VPN server was configured "someone once", no one knows how it works, and I would not want to touch it yet.

The network has a server on windows server 2012, on which a 1C programmer works remotely. It so happened that this server turned out to be unnecessary, so nothing else happens on it. Based on this, to ensure minimal security, on the switch, this server was separated from the rest of the network using a VLAN, and then by forwarding port 3389 to the server on the router, we configured RDP to this server for the programmer.

Problem:
We would like to make remote programmer access to our server more secure than just password-protected Windows users. For these purposes, we want to organize another VPN tunnel. As is clear from the essence of my question, we are not professionals at all, so we need the most easy-to-configure solution. Also, the solution should involve minimal settings on the client side: everything should be configured with the built-in Windows tools.

Minimum objective:
To make programmer's remote access to our server more secure than password-only protection of the user in Windows.

Maximum task:
Stop using a Linux PC as a VPN server and replace it or our TP-LINK TL-R480T+ router with another device on which to organize two VPN tunnels with different rights: one for the authorities with full access to the entire network, and the second for 1C programmer with access to only one computer (in this case, the server on which he works). At the same time, we could refuse to separate this server from our network using VLANs and get easy access to it within the network.

Our options:
1. Raise a VPN server on the server itself with Win Server 2012, to which the programmer connects, only to access himself. From articles on the Internet on this issue, we understood that it is possible to raise a VPN server on Win Server 2012, but it is not clear whether it can be raised to access itself. We assume that this can be implemented by specifying only the IP address of the server itself in the pool of issued addresses to clients.
Questions:
- Can I raise a VPN server on Win Server 2012 to access myself?
- Is it possible to set up different pools of issued addresses to clients for different users with this implementation option? That is, is it possible to provide access only to the server itself for the user "Programmer" and access to the entire network for the users "Head" and "Accountant"
- What ports on the router need to be forwarded to implement this method? The connection to the server is supposed to be via RDP.

2. Put a router on the network between the switch and the server for the programmer. We could forward the ports on the router to the router, and raise the VPN on the router itself. In this way, we would provide VPN access to the destination server, apparently with double port forwarding. At the same time, we would not touch the settings of the server itself, and if necessary, we could simply remove the router from this scheme.
Questions:
- In this case, we only understood how to set up a VPN on a router, but it is not clear how to implement our scheme, which ports to forward.
- As far as we understand, in this way you can only set up a VPN tunnel to the server for a 1C programmer, that is, only solve the minimum task?

3. Replace the Linux PC we use as a VPN server with some specialized device on which we could organize two VPN tunnels with different rights: access to only one computer for the programmer and access to the entire network for the boss and accountant .
Questions:
- Probably, we are looking for it incorrectly, but we did not find specialized devices for these purposes. Perhaps you know such a device?
- Of course, it is completely incomprehensible how to set up this device.

4. Replace our TP-LINK TL-R480T+ router with another router that can receive two WANs (we have two Internet providers) and can raise two VPN servers or a VPN server with different access rights. Since we need an easy-to-configure device, we looked after TP-LINK TL-ER6020 , but it’s completely unclear if he can set up a VPN server with different access rights.
Questions:
- Please advise an easy-to-configure router that can receive two WANs and can raise two VPN servers or a VPN server with different access rights.
- Tell me how to set it up. Perhaps there is an interface emulator for it, like the TP-LINK TL-ER6020 described above ?

Perhaps there is another, simpler or correct solution to our problem?
We would be grateful for any hint or tip :)

In any case, thanks for reading this long essay!