I have a simple routed network with gateway router that src-nat's for LAN clients (CPE's) to public IP's. So each client has its own IP.
Now I have a client that wants to use VPN so remote worker can log into the business network (LAN behind my CPE).

Client CPE also serves as NAT router. Client's LAN is separated from my CPE-AP network by the router and my internet gateway is again separated from the internet as prescribed above.
I have a firewall rule basically blocking all traffic (requests) from the internet to my and client's LAN network.

Do I need to set anything special for client to allow his remote access users to use VPN to log into the network behind my client's CPE?
I presume I have to allow traffic from the internet to this client (dst- address) by his public IP.
Incoming traffic from internet to this public IP should be forwarded (routed) to the client's CPE and into his LAN?

Is there anything more I need to set to allow VPN?