Summary:
5 person group needs to access their DB application remotely (chiropractic firm, it is their client/billing App. With MS SQL back end running on Server in the office)

tried Hamachi free but will not maintain connection

do not have full time admin to deal with it.  I am moderately technical but have little experience with VPN setup

device/solution would sit behind business cable modem connection.  Right now is not static IP, but they can pay more for that if needed

looked at hosted/cloud solutions but most are designed for bypassing restrictions as opposed to connectivity as described in their use case

all clients are Windows machines, application is Windows based with a client installation

basically looking for a very simple VPN for up to 5 clients either free or up to maybe $20 a month'ish (I.e. He is willing to pay, but not a lot)

any suggestions?

thanks!

I would get a static IP address, and get a router with a VPN endpoint built in.  I would suggest one, but the Snapgear routers I've used for years are no longer available.

I am currently in a similar situation.  Attempting to get a Raspberry Pi 3 setup with OpenVPN.  

About $75 for the hardware.  Using dynamic DNS to get around the static IP.   VPN can connect and get out to the net, still trying to figure out the access to the shares and printer.

On sale at Sam's Club right now.  Has Open VPN built in.

If I were to expose, even through VPN, customer data I would be shopping for a security appliance that provides VPN functionality. PfSense, Cisco ASA, etc. Not a consumer router. 

HIPAA is at play here, you can't just do whatever you want.  You have to build a HIPAA compliant solution.  You also can't just connect to a backend database willy nilly over a VPN, you're going to have to work with the vendor to sort out the best way to make the application accessible.

https://www.flashrouters.com/

This is a repeat of something I said in another thread recently, but look at the SOHO firewalls offered by Fortinet, Check Point, and maybe Palo Alto Networks. All will have VPN capability and offer security services beyond basic firewall rule sets.

As mentioned above, your folks need to consider HIPAA and/or PCI compliance concerns. With those two regulatory bodies potentially at play, remote access is not quite as simple.

I would also take a look at two-factor authentication services as well. My personal recommendation is Duo Security.

If you want to talk specifics, feel free to PM me. I live in the land of crap that is regulations-affected.

Who's the compliance officer?  They should have an annual training that details out what is and isn't ok per their annually required risk assessment.  Also, they can't adopt a remote policy without performing another risk assessment, so that needs to be part of their implementation plan; i.e. the assessment has to be done before they select a solution based off the assessment.  Also, per NIST, the end-points connecting via VPN are now logically connected to the ePHI environment, and have to be included in the asset list and comply with the same technical safeguards as the ePHI environment.

This is all entirely separate from the fact that your Hamichi adapter fails to work because the application has a thick client that requires ODBC sessions with the SQL database, which do NOT function reliably over VPN.

You want to do this right, and have remote access, you have to virtualize the app, and stick it in front of an encrypted portal with 2FA.  A 5 person office can't afford this.

correct answer

PFsense, which you can run on a lot of different hardware, will do this via Open VPN.

There has to be a plan to keep it patched though. 

Thanks all for the input, sorry for late response as I was traveling.  A few more notes/answers:

1.  HIPAA/compliance officer.  HIPAA - they are aware, but with 5 people, not sure if they have an official "compliance officer" or maybe they do and I just don't know.
2.  setup - they are currently sitting behind a cable modem that does not have VPN capability built in (Century Link is the provider - small town cable co.) and they have the OPTION ($10/month) for a static IP.
3.  The "server" is located in the office and is always on (server-class HW - Opteron 16-core, 16GB RAM, but running Win7 Pro x64 due to cost of Win Server.).  There are 3 other workstations and a laptop that are in the office and connect to the server application (workstations over wired 10M Ethernet and laptop over secure wifi (no client access).
4.  application - part of this investigation is determining what VPN solutions are good options and if the application can run over a VPN connection (still waiting for an answer).
5.  Hamachi fails to work NOT with the application, but with remaining connected.  We are running the free version for 5 users with the client installed on my machine and two laptops that go home with users.  we cannot keep the Hamachi client on the "server" connected 24x7.  It typically drops connectivity such that no one can ever connect to it.  I've run all the diagnostics, opened additional ports, set the timeout to "never," etc.  When it is connected it works just great for our testing thus far, which is limited to single RDP sessions to the "server" box (again, running Win7, so only one simultaneous connection allowed).  This does not scale.  
     a.  if we could get Hamachi to reliably stay connected 24x7, we could proceed with checking to see if the application will work, etc.
6.  Teamviewer - will check it out. Although at first glance, might be too expensive for this guy.  Thanks for the suggestion.
7.  Commerical HW - I am investigating this route also.  I actually work for one of those companies :)  Cost is the issue along with ongoing subscriptions/licenses (where applicable).
8.  roll-my-own (pfsense, etc) - trying to find something that can be installed, configured, and left alone as I don't have time to be an IT manager and troubleshoot VPN issues :)

Thanks again! 

Tell them to pay for LogMeIn or TeamViewer for the office workstations and be done with it and walk away.  This is a cluster fuck you don't want to be anywhere near.

Unfortunately the operational costs of staying in business - especially within the healthcare industry - have skyrocketed. You either pay to play, hope to be acquired by someone else / sell out, or close the door.