Happy New Year!

We're a small business of approximately 10 users.

Around half of our users connect from home to our network via OpenVPN which is installed on an Untangle server. Our Untangle is installed on a server machine as the firewall / network antivirus, etc. (paid subscription to Untangle)

I'm curious - what if an employee's personal device that connects to our network via VPN gets attacked / such as virus/malware/ransomware/hack.... is it possible for that to "bleed" through to our network / server / workstations?
What is the typical practice for small businesses like this (where the employees work remotely with personal devices) regarding endpoint security?

Do they suggest or perhaps require their employees to install an endpoint solution?

If the end-point security is installed on all workstations and the server at the office + a firewall like Untangle on the network level, is the equipment "safe," even if a remote VPN user is breached?
If not, what have you found to be a good solution for small business (both firewall and endpoint security) that is affordable and preferably does not require a lot of configuration?

I realize there is likely no 100% tamper-proof setup and there are many theoretical situations / potential threats ... but I'm trying to get a "feel" for what the average small business has in place. (a practical solution / setup)

Note: At this point, most of our employees primarily use MS RDP on a Windows Server our network... so most of their work is on Windows Server itself with their own Desktop via RDP, rather than normally working directly from their Workstation OS.

Thanks for your help / input!