If it is just a single PC behind the router, you don't need the VPN. My setup has 7-8 pcs behind each router/firewall and as such, forwarding 3389 can be problematic.
There are two options available that don't require anything additional:
For multiple users, change the TS/RDP listening port for each machine to something else so each user has their own port to connect to (I set this up for the brass at work for after hours access).
For a single user, have only one entry point machine and connect to the other internal machines from it (I do this quite frequently on client networks - I've actually gone 4 sessions deep without issue).
Actually there's 3 options if you count the TS-Web option on SBS, but I try not to do that.