IIRC, the only VPN protocol the USG supports natively is IPSec. So you don't necessarily need to get them a USG, but something that supports IPSec natively should make it pretty easy. Unfortunately, TrueNAS doesn't natively handle VPNs in a useful way (it does include an OpenVPN client and server, but configuration of both of them is unnecessarily painful), so the "easy" way to handle this is net-to-net. Net-to-net also means that you could route the iLO/IPMI interface, giving you a remote console for the server if needed.