My personal opinion is that this is a god awful idea. About two months ago our director of development insisted we do just this, much against the advice of the Dev team. It's a genuine nightmare and an incredible pain for us, not only does it kill ajax all together it presents so many administration issues for us.
We have 40 regular staff and 4 devs trying to use the vpn at times and it just stutters, along with that all users now require two sets of passwords one for wp and one for vpn and that's not just a shared password it's individual ones, I mean how else would you do a security audit. It's hard enough to remember one secure password, let alone two.
Add to the issue that a lot of people do not know how to use a vpn and often that just causes more issues.
Ultimately it's a terrible idea and it's often put forward by management or higher who do not know or understand WordPress. They see it in a terrible light, that because it's open source it must also be a security issue, filled with easily tapped exploits and so on.... its getting old.
WordPress is secure and sticking wp-admin behind a vpn is not only fear mongering it presents a nightmare for every member of the team
Why is it that management types have no trust when it comes to WordPress, they seem to forget major sites use WordPress and don't use vpns, look at mashable for example.
So to recap:
Ajax won't work behind a vpn.
Vpn is a terrible idea for reasons mentioned above
WordPress is secure and will remain so if you keep it and plugins up to date.
Listen to your Dev, you pay them for their expertise. I can promise you, that nothing undermines a working relationship like not putting your trust into an individual and having to check up on their knowledge.
If you do go with vpn, be sure to buy enough user licenses.
ajax-admin.php
handles.. ajax requests. Please clear your title up and the question in general, wordpress.stackexchange.com/faq