A cheap option is a VPN from a windows server inside Proxmox to a router in the office. There is a problem of protecting proxmox itself - it will look outside.
A beautiful option is a separate virtual machine based on linux\mikrotik, on which the public address of the Hetzner server will hang and which will forward packets inside the virtual network, receive VPN from the office or even directly from remote users, protect your virtual machines and proxmox.

Because If you need to drive in an SMB tunnel, then OpenVPN on Mikrotik is not an option, it's too slow. In terms of performance, IPsec or GRE + IPsec is optimal. Everyone is looking forward to WireGuard on Mikrotik in Stable.
WiKi
It is possible to lift GRE directly on ProxMox + OpenVSwitch. But it is difficult to set up, debug, support.
https://documentation.online.net/en/dedicated-serv... It
would be optimal to bring up a guest machine and use it as a GW. White IP is better to use 2, one for WEB ProxMox, the second for GW.
As a GW
pfSense
VyOS
Linux + iptables
Mikrotik
Linux + iptables is my choice, because I can lift almost everything on it and this is a minimum of resources for a guest VM.

Raise a regular OpenVPN network.
https://github.com/nyr/openvpn-install

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

You can also buy a license for CHR Mikrotik for $45 and install it in a virtual machine. After building tunnels between Mikrotiks and so on.

I would put a guard, on it the response and performance is much better than on openvpn, it is especially sensitive on rdp.