jwgorman: I definitely agree - the VPN is the way to go, but - if I understand correctly - it still requires that the 3G modems be given public IP addresses right, so that DYNDNS can identify them staticly with a URL? the VPN is created with that dynamic IP, and then the devices behind the remote router can exist on a private subnet, with all communication going through the tunnel that the VPN defines?
VPN client behind NAT makes a connection out to your VPN router. The VPN router assigns it an IP address e.g. 192.168.150.12 and gives it some static routes, e.g. 192.168.140.0/24 that are reachable down the VPN connection.
The VPN connection is like a virtual network cable between the VPN client and VPN server -- a bit like a dialup connection that goes over the internet rather than over an analogue phone line. So now that your client has been assigned an IP, you can connect to that IP -- providing your networking at the other end is set up to send traffic down the VPN appropriately.
You can either use DNAT rules or static routing to enable the industrial PC to be accessible, if it's not the device running the VPN client.
You have to get the routing rules right because now both wherever your VPN server is hosted, and the Vanuatu end have *two* network connections -- one out to the public internet, and the virtual connection the VPN provides.