We have a VPN over DSL.  Using NFS is quite slow (the client side doesn't
  buffer the data too well?).

I have taken the liberty of adding white space to your text.

  Is CODA any good?

Yes.  I use it fairly regularly, but I don't put my homedir in it.

  Is it stable and reliable?

Almost.  The server is pretty stable, but the client occasionally gets
hosed.  If you are mostly conencted (read caching only), or mostly
'write-disconnected' (read caching and write-behind caching), then
this should just involve reinitializaing the client, since all the
state will be on the server.

Only consider coda 6.0.2 or more reccent.

  Ready for production use?

If there is fairly little disconnection, probably more or less, but
not quite.  But note that I run -current coda from cvs, and have found
problems.  I often go disconnected, and am behind a 28.8 dialup, so I
think I'm a particularly difficult case.

Coda security is sort of bogus, but compared to NFS it is fine.  I use
IPsec transport mode between clients and the server; if you have an
inside-the-firewall VPN mentality that is probably OK.  It has a
kerberos-like token mechanism, but due to the legacy of previous
export control rules it uses xor as the 'cipher'.

Coda does have user/group permissions and directory acls.

Do not even think about putting CVS repositories in coda and having
multiple clients access them.  You will get write-write conflicts when
some clients are write-disconnected or fully disconnected.
Serializing access on the CVS server really is the right thing to do,
absent both auto-reconciliation that groks CVS semantics and some good
luck.  I only use coda for bits that I don't keep in CVS.

-- 
        Greg Troxel <gdt@ir.bbn.com>