Re: Risk from VPN client connections from enterprise network

[gazwj () fastmail fm]

Yes you would appear "locally" connected via the VPN to the suppliers server. The server could not however initiate new 
connections to you once the VPN is torn down.

The best solution would be a single static VPN tunnel that your workstations could use, just in the interest of central 
management. That aside you basically need personal firewalls on all the workstations that will VPN. Leave only 
essential ports open to that VPN interface. 
Also check whichever firewall you use does its filtering AFTER the vpn link is unbundled.

(You may find during testing that you have some connectivity issues with all that NAT'ing going on too)