This seems to be a sledgehammer to crack a nut. If you are going to the trouble of establishing a VPN, you are effectively part of the company intranet, and so could simple access the database directly via a filemaker client. This could be a simple solution. :)
That said, IWP can be hosted with TLS (aka SSL, port 443), simply by purchasing a certificate for your FM server. Access to data could be further restricted by limiting incoming connection to a few pre-determined remote IPs (this could be done via the company router).
The company can also limit IWP hosting to a special 'firewalled' database that syncs back to the main database, so that hackers can only get to a limited amount of data, even if the security is compromised. For example, it could be arranged only to load up the records/data it needs as it needs it, and limit the number for records it's allow to sync in any one session.
As a sideline, you can add some PHP to a custom IWP log-on page, which will log the user's IP address, etc. (by no means fool-proof, as these data can be spoofed, but it will put off all but the most determined hacker)
This makes it as secure as other common web front-ends, such as Outlook Web Access (OWA).
I would go back to the company and see what sort of worries they have, what level of security is realistic, and make comparisons with how they secure their other business-critical services, such as e-mail and documents storage.
Hope this helps,