Sorry, can’t comment on it as I’m not an expert on VLAN stuff.
My deployment of it would have been by using pure basic IP routing 
Much easier for me
Regarding remote administration:
IMO it should be secure enough to use simple port-forwarding(s) on your WAN router to the ssh service of the devices.
VPN is ok too, but requires more setup-work.