|What you're trying to do sounds like more work than you should need to do.|
How about the following:
- leave internet access for internal clients flowing through the router.
- put web servers in the DMZ on the router
- Setup a member server within your domain that is running RRAS and use it for VPN connectivity. You would likely need to put this in the DMZ as well or else you would have to setup a port forward which is again, more work.
This seems to me to not only make more sense, but it's less work for you to setup and to maintain and/or troubleshoot.
Always, always, always apply the KISS principle (keep it simple) to anything you do within in a network or domain so as to make upkeep, changes, additions, and troubleshooting as easy as possible. Don't forget to document.