Finally I had the opportunity/need/inspiration/circumstances to look for a free VPN server that would run on a server with a static IP on a LAN.
Turns out Mac OS X has one built in! It's an open-source UNIX deal called vpnd, and it's the same one on OS X Server and configured through the GUI. It's no surprise that Apple left a VPN GUI out of OS X client — Server costs either $499 or $999 — but a very nice developer named Alex Jones came up with the free iVPN, and after a little port forwarding on the router, and 30 seconds of config of iVPN, we had ourselves a legit L2TP VPN tunnel.
It was important to me that the VPN be accessible by the client built-in to OS X — found in Internet Connect in Tiger or earlier, and in Network System Preferences in Leopard. I have become bored with downloading and config'ing standalone software: too many checkboxes, not enough stability.
So.... whoop! Very easy, very free.
Now, one thing about most VPN connections that has always bugged me is that, even if the client connects to a network resource, say a server, via its local Bonjour hostname, e.g. server.local, when a connection is attempted over the VPN it fails, and the user has to revert to using the IP address. Which is sort of fine, but a turn off to the less technically minded. So I just found this article on macosxhints.com about editing the /etc/hosts file:
I haven't tried it yet, but it makes sense to me.