REMEMBER this: Your VPN is only as secure as your authentication method.
One of the easiest ways to compromise a VPN is by getting the authentication credentials. Users are the weak link in any network. It's easy to manipulate people and get something from them as we see in the daily news and life. All it takes is one user with a password to open a direct connection to your network.
A best practice is to use two-factor authentication for VPN access.
As you have seen in Google login and many other websites as well. They are pushing users for two-step login.
Two-step login or two-factor authentication is a powerful method for login as it makes difficult for an attacker to break into your network.
This is a method of proving identity using two different authentication factors.
Authentication factors are something you know, something you have, or something you are.
A smart card (something you have)
with a PIN (something you know);
a biometric device (something you are)
coupled with a password (something you know);
or a proximity card (something you have)
that activates a fingerprint reader (something you are).
Regularly check the usage after deploying the VPN
When you notice employees, who are not using the VPN, remove their access. If you see employees who have multiple concurrent connections, you may have a security issue, and should investigate further.
Backup your VPN configuration regularly
This is a good practice for any network equipment, but in the event your VPN hardware fails and needs replacement, you'll want to be able to restore your known working configuration quickly. Rebuilding a VPN configuration from the default settings can be a long and challenging task.
Patch/Update your system regularly
Vendors typically release patches and updates for various reason throughout the life of the product. Sometimes just a quick bug fix, sometimes a security glitch fix. So, keep an eye out and install patches whenever they are available.
In an ideal environment, you will have a development VPN that you can use to test patches and updates.
In most environments, you will not have the luxury of a development VPN and will have to test when you implement in production.
In either circumstance, work closely with your vendor to make sure you receive prompt notice of patches and updates, and establish an operational process and maintenance window to apply patches and updates in a timely fashion.