How do I connect an external user to an internal device with VPN?

"I understand I'll need to setup port forwarding on the internet router ": that should not be necessary of the router can act as a VPN server.

Think of a VPN as a VERY long cable between the remote device (at the other company) to the LAN side of your router.  One major difference, though, is that you'll be on different subnets, though it's all routable.

I looked up the specs on the Huawei and I'm not convinced that this will work.  It doesn't appear to support being a VPN host and it also doesn't appear to have any provision for VPN pass-through.  In the case of pass-through, you'd set up a PC on the LAN as a VPN host and you'd tell the router to send VPN traffic to it (a bit different than just port forwarding as you need to do IP Protocols 50 and 51).  I don't think your router will do that.

Would it be good enough if they had remote access to a computer on your LAN?  That may be the easiest solution.  Add a computer, set up remote access (I like realvnc.com , $40/year with a 30-day free trial) to it, and let them do whatever they want with it and the PLC.

Thanks CompProbSolv. Unfortunately giving them access to a PC won't work. The equipment we have will be shipped to our customer in a few months and connected to our customers LAN. They want Ethernet access to our equipment now so that they can setup and test the connections from their LAN to the PLC prior to delivery. We need a way to replicate that connection via VPN which is why I thought a standalone device could be the best solution.
The router does port forwarding ok. When I say it's spare, it's a 100 mbps connection used for alarm monitoring so it's got almost no traffic on it and it's completely separate from our corporate network. I have already opened ports to our alarm system so I know that works.

for a short duration a vpn may be ooverkill  just port forward from wan ip (whatever) to lan ip of the device. This  may gum up your alarm system unless you put the alarm system port forwarding at a higher priority

Thanks David, I'll try that. If that works it would be a very simple solution.

David provides an excellent alternative to what you requested, though there are some security risks.  Your device will be exposed to anyone on the internet that happens to probe your external IP on the appropriate port.  There are plenty of people out there automating scans to find just such an opportunity.  If it is short term and you have good security with the PLC itself, that shouldn't be a problem.  I'd think carefully about how secure it is.  If their need for access is very limited, you could turn the port forwarding off when they don't need it.

Port forwarding is only a valid option if a fully fledged FIREWALL is on that same device.
Consumer router, NO GO.
Business router, go ahead, port forward, PLUS ADD FIREWALL RULE ONLY THAT ONE EXTERNAL IP nr is allowed.

Hi All, Thanks for commenting. Our Automation staff took matters into there own hands and bought something called a Tosibox TOSIBOX® Locks, Keys and Central Locks for secure connectivity  instead. Our internal communications need some work since they got this up and running while leaving me to find a solution!! Problem solved I guess.

Glad to hear that worked.  In case it is not clear to you, what they did is to replace your router with one that can act as a VPN server.  Nothing unusual there.  In the long run, the new router should prove to be a good overall solution even when not using it as a VPN server.