If your exchange server allows Outlook Web Access to be accessed from the internet (from home or whatever), then a VPN isn't needed.
Providing OWA works, are you using SSL to connect with? Connecting WM5 directly to an exchange server via SSL requires a trusted root certificate with a matching domain name. Wildcard certificates will not work. If it is a self signed cert then you need to install the cert to the pda's root store also.
To test if your connection is fine and OWA is working fine and the SSL cert is fine, open up PIE and go to your OWA site. If you get prompted at any point about a SSL certificate, authenticating with active sync directly to the exchange server won't work. You also need to ensure that on the exchange server under exchange system manager, under the mobile services, you have "Enable Direct Push over HTTP(s)" enabled. There is also a registry change that needs to be made. It is more of a fix to make RPC over HTTPS work, but it significantly helps mobile devices too. And also the user trying to connect with their mobile devices needs to be specifically allowed in their exchange attributes. And also...think the last thing was basic authentication instead of integrated in IIS for the exchange and OMA virtual sites.
(just set up 3 exchange servers this year each with mobile access, fun fun fun
)
This is with Exchange 2003 and X51V.
Any questions just let me know. Been through all the trial by errors with Exchange and mobile devices lol