this is, unfortunately, a tricky topic.
The DC Master and the DC Backup need to be able to communicate in both directions on various ports. Even more important is that the communication often uses hostnames. Therefore the first thing you absolutely must make sure works is DNS resolution for the (supposed) internal domain used by UCS.
The next issue is that a DC Backup only makes sense for the case that the master is completely unavailable. This also means that in such a case all of your clients must be able to communicate with the DC Backup as if they were on the same local network.
The combination of both basically means that the VPN endpoint for your local LAN must probably reside on a central router and not on the DC Master.
Now it gets even difficult. On the DC Backup’s side you’re likely planning on running the VPN service on the DC Backup itself. However, there’s a real problem with most VPN technologies: connections to the VPN endpoint’s IP address are often not sent over the VPN tunnel at all.
For example, if your DC Backup’s named “backup.mynet.ucs” and has a public IP of 220.127.116.11. Your LAN’s using 10.0.0.0/8. You install a VPN on the DC Backup and let it connect to the LAN’s router. Now a client wants to connect to the host name “backup.mynet.ucs”. This is resolved to 18.104.22.168, and the client connects to that IP. The packet is sent to the router which will then send the packet over the unencrypted internet connection instead of the VPN tunnel. Of course the DC Backup will now see the connection originating from your router’s public IP address and not from your client’s internal IP anymore. For the same reason the connection to the DC Master will likely not work at all.
This is the case at least with OpenVPN, a tool which I usually recommend to use over all others — mostly for its simplicity, robustness and excellent debugging/logging functionality.
You may have more luck with IPSEC which is able to encrypt connections to the VPN endpoint itself. The huge drawback is that configuring IPSEC is rather difficult and error-prone, even more so if your other side is a hardware router by some vendor as most hardware routers have their own quirks, and the IPSEC standard is so unbelievably flexible that each vendor only supports their own subset of the functionality. Most of the time you will succeed in getting to IPSEC endpoints to agree on connection parameters, but it can take quite some time.
So basically what I’m advocating here is to run the DC Backup behind a dedicated router/VPN endpoint machine as well. Both can be virtual machines, of course, no need for putting a real hardware router. If you do that you’re mostly free in the choice of VPN technology — as long as it’s not some unsecure protocol such as PPtP which no one should use anymore.