you should have the VPN connecting to a third interface on firewall not directly connected with the internal network to avoid to have an alternate path to the internal network.
Hope to help
Giuseppe
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.