I would like to protect the host that initiates the VPN connection from the VPN network, but can't think of a way to do it.
It would look something like this:
VPN connection with firewall
This is most certainly possible to do if one has access to the VPN-server and put the firewall on that side. I have connections to quite a few different VPN-servers but I don't control any of them. I would like to deny any traffic coming from the remote network to the host that's not "Related, Established".