I'll throw in a few thoughts based on my recent experience with getting a test service up and running using our Server instance sitting entirely behind a firewall (no public-facing capability). I haven't had a chance to explore the editing side, so I cannot speak to that.
I connect via the built-in VPN capability of the iPhone, so a third party VPN client should be purely optional. In the ArcGIS app, set up your ArcGIS Server connection by clicking the 'Add ArcGIS Server' button. You need to make sure you are actually connected to your network via VPN!
In the address field, I needed to use the IP address instead of our internal name for the host (i.e. 55.55.55.55/arcgis/mobile).
Using the pdf discussing publishing your map services, I created a text file containing the JSON code for the basemap and operational layers in my test service. My stumbling block was using the internal name for our server rather than the IP address because I simply copied the map service URLs from my flex app configuration files. Once I corrected that bonehead mistake I was able to actually view the service in the app. Follow the pdf instructions for taking the JSON code and publishing it.
I realize after playing with my map service in the app that I will need to create specialized mobile-centric map services. For example, some of my existing map services have a few layers within them--some visible by default, others not visible. In my flex app, the user has the ability to check and uncheck the visibility of layers within map services, but the ArcGIS app appears to not have that ability. The takeaway is that whatever map services you present for this app need to structured such that you can provide data visibility at the map service level (the app allows you to turn on/off various individual map services, but not the layers within those services).
Hope this helps. I look forward to hearing more about users' experiences with the editing aspect of the app.