If you allow all and sundry to connect to your network using a downloaded VPN client on personal machines, then you are effectively opening the floodgates. Only firm provided machines (laptops etc) should have the capability to VPN into a corporate structure. Other personal machines should make use of a secured Remote Desktop Gateway with the relevant 2FA and DLP in place to prevent data extraction without authorisation. Similarly, controls should be place to ensure that even Office365 email cannot be accessed outside of an approved IP range.