Seems like a tough problem to manage. I think the takeaway is “use proper cryptographic verification even inside a VPN”.