Before we get into the woods too deep. You said you are a non-profit. First things first, what industry are you guys? Compliancy could determine your needs.
The best from the end user point of view is no VPN at all. Pretend you’re Microsoft, Google, or whatever your favorite company may be and build your infrastructure with a cloud first mindset.
This means your services are accessible over the Internet with a secure TLS 1.2 connection. Throw in an SSO solution with MFA to better control and secure access. “It just works” is what customers (the end users you support) expect/want.
This means you also build your internal networks differently. The network your endpoints such as desktops, laptops, tablets connect to becomes an Internet only network. Maybe you allow the egress IP (or if you’re not living in the past, your IPv6 range) access to additional services that are blocked from most internet traffic. Printers are on a different network, accessed via cloud print, IPP, or similar means. Managing servers? Best way to go is to setup a jump box that admins can RDP into, or make admins use a limited VPN.
That said, the VPN solution is OpenVPN. Otherwise you generally go with whatever is built into your firewall appliance.
They have a Cisco A5505 Firewall which they are not using anymore.
Do you guys suggest re-instating that firewall and pay for the VPN licence, that hardware is out of support and warranty. Is that going to be a more costly option compared to buying new hardware?
Separate authentication method is preferred. I would rather not have the bad guys access to internal network because a user had been phished for his email password .
+1 for this, I avoided DirectAccess due to performance issues through a NAT. Always-On VPN has worked flawlessly with machine certificates. Only took a day or two to get setup.
5505 is end of support, go with something easier to manage, maybe look into a Sonicwall? the TZ300 or TZ400 is pretty decent- depends on your office size.