What security measures or authentication measures are the best? VPN from a wireless client or just plain WPA or WEP?
The link layer authentication option found in early WEP devices, Shared Key Authentication, is extremely weak and rarely used. Don't use that option unless you have no better alternative.
Devices that implement WPA offer a better option, Pre Shared Keys (PSKs). Like the older Shared Key Authentication, PSKs are just group passwords -- anyone who knows the password can join the WLAN, and everyone using the WLAN must keep that password safe. However, PSKs are never used directly for encryption, which means they can't be derived just by capturing enough traffic with a tool like WEPcrack. PSKs are also generated from longer "passphrases," which means there are more possible combinations, making the PSK tougher to guess (brute-force attack). Of course, a really short PSK is easy to guess, so choose complex PSKs that are at least 12 characters. Home and small business WLANs should use WPA-PSK instead of Shared Key Authentication whenever possible.
Many devices support an even strong option, 802.1X port access control. 802.1X can be used with WEP or WPA and provides delivery of dynamic encryption keys that greatly reduce the risk of key cracking. 802.1X also provides a mechanism to permit or deny AP access to individual users based on their authenticated identity. The type of identity and actual authentication method depends on the Extensible Authentication Protocol (EAP) used with 802.1X. Some EAP types are stronger than others -- for example, 802.1X with EAP-TLS is considered very strong, while 802.1X with LEAP is vulnerable to dictionary attacks. Deploying 802.1X requires expertise and network infrastructure, and it should be used primarily by businesses with an IT department that can deal with this complexity.
Link layer authentication and VPN client authentication serve two different purposes, and some companies use both to satisfy different needs. Link layer authentication controls access to your AP and WLAN resources, while VPN authentication controls access to your VPN gateway and the private network resources behind that gateway.