I believe that the majority of security and ease of use issues are dealt with by the technologies I have described here. Certainly there are many issues that this technology could expose (mostly internal political or policy issues within your own institution).
If you discover any flaws in the technology. Please contact me about it.
Also, if you can explain the proper pf rules to get *bsd to properly forward (masquerade the 10. network) packets to Internet-routed network segments on the internal side of the VPN, I would definitely like to hear from you. I could not get it to work, whereas the Linux masquerading rule I found just works.