you should have the VPN connecting to a third interface on firewall not directly connected with the internal network to avoid to have an alternate path to the internal network.
Hope to help
Giuseppe
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: