It’s been a two day quest, but I’ve finally gotten our web server to talk to a remote SQL server over VPN.  I wish I could document the steps as a how to (I’d like it for myself if I have have to do this again), but I’ve tried so many things I’m not sure which steps are true dependencies and which are extraneous.  First, the server in question is a LAMP server, running Plesk, hosted at Media Temple.  For the most part, it’s a vanilla configuration.  Here’s some of the things I learned in the process of getting this up:

• The VPN is of the Cisco type, but using their linux software was a dead end.  I couldn’t get it to compile, it needed kernel headers and patches and on and on.  Eventually, I was directed to using VPNC.  There are scripts that convert pcf files to the format VPNC uses.  Also, you can store the VPN password within the config file, which is perfect for my situation.  If I feel like enduring further pain, it may be useful to get this working locally and stop using the Cisco Mac client altogether.
• It turns out you need to be running as root to use VPNC.  Thus, for the users that would be running this, I had to add entries to the sudoers file.  I made it passwordless because I knew I’d be calling it from PHP.

• I had to allow /usr/local/sbin as an open_basedir in php so that I could call VPNC.
• From exec(), I needed to use the full path to VPNC.

• Lastly, and this was particularly painful because I knew I was sooo close at this point, I had to comment out “Defaults requiretty” within sudoers.  When this is on, it prevents you from running sudo outside of the command line.

This was a very frustrating journey so hopefully this helps someone else.  Or me in the future.