You have two options, either a VPN enabled router, or build a fire-wall box with VPN. look into open VPN, it would let you set up one firewall system on LAN2 as the primary, and the other 2 would connect to it as clients. If you set the subnet and address reservations right it will do the job.

I am hoping to look into this for myself at the start of next year.

You will want a VPN Server, which can either be a standalone machine or built into a router. (not sure what models support it)

If you go the standalone machine, you will have to do some port forwarding to get things through. If someone knows whether this is disallowed, please respond.

The clients will simply need the client software. No special configurations otherwise.

I have been looking towards OpenVPN.

You don't need to do port forwarding TO a standalone server if it's the first thing on the network. If it's after a router you would, but you can just as easily have it be the first step from the internet connection.

IF you have VPN "servers" at every location you don't need to install anything on client PCs, just the router/server that's bridging.

If I remember correctly, there is an XP version but I had some problems setting it up, my system didn't like the virtual network driver :(.

There is a linux based router firmware called DD-WRT, I use it at home. If you have a router that's compatible with it's VPN or "mega" versions it has openVPN built in.

I put it on a $100 Linksys 350N and it works like a charm.

Redhat Linux has Crypto IP Encapsulation (CIPE), a VPN

implementation developed primarily for Linux. CIPE uses encrypted

IP packets that are encapsulated, or "wrapped", in datagram (UDP)

packets.

CIPE packets are given destination header information

and are encrypted using the default CIPE encryption mechanism.

The packets are then transferred over IP as UDP packets via the

CIPE virtual network device (cipcbx) over a carrier network to an

intended remote node.

One network is running CIPE on the firewall, and a remote client

machine acting as a CIPE-enabled node. The CIPE connection acts

as a tunnel through which all Intranet-bound data is routed

between remote nodes.

CIPE can be configured for communication between two or more

CIPE-enabled Linux machines and has network drivers for Windows

operating systems.