In the future, you're going to want to provide a LOT more details if you expect someone to help you find a solution:
- What host OS?
- What router?
- What VPN client? Is it a function of the router, or the host OS?
- How were you planning to announce to your guests that the network routes had changed?
But even without all that data, I can give you some pointers ...
The usual way that a VPN works is that you instantiate a virtual network interface which has its own network address, and the network routing tables are changed to give the VPN interface preference for routing some or all packets. Thus requests to Google might go through your normal network, or they might be routed through the VPN and your company's network. Any packets that are routed to the VPN interface are encrypted and encapsulated and sent to the VPN server, which decrypts them and sends them on their merry way. Typically the VPN interface is assigned an IP address from the destination (work) network, but it can also be assigned addresses from a private network that is managed by the VPN server.
The usual way that bridged networking works is that the bridge switches the physical interface into promiscuous mode and assigns the virtual interfaces unique MAC addresses. When packets are sent from a virtual network interface in guest 1, the packet is sent out through the physical interface with guest 1's MAC address; when packets are received for that MAC address, the virtual bridge sends them on to the appropriate guest. This will require careful configuration of the host's routing tables as well. Note that if the guest OS is configuring it's network interface via DHCP, it is going to get its IP address from the first DHCP server that sees its request, be it virtual bridge, host, or router.
Let's suppose you set up a VPN client on the host. If you don't configure the virtual bridge to connect to the VPN interface, all of your VM traffic is still going to go to the physical interface, which is what you've described.
The first thing to try is to see if you can configure VMware's virtual networking to bridge to the VPN interface instead of the physical ethernet interface. This may not work -- I haven't tested it -- because virtual network interfaces aren't the same as physical network interfaces, and may not support the capabilities that VMware needs to establish a bridge.
If it does work AND you've got a static point-to-point VPN that is 'nailed up' all the time, then you're done. If you want to be able to turn the VPN on and off and have the guest VMs all 'do the right thing', then you're going to need to do some heavy scripting, such that when the VPN is connected, the VMware virtual networking is reconfigured, and vice versa.
If you can't configure VMware virtual networking to bridge to the VPN interface, then you're probably going to need to get very clever with your routing tables, possibly to include installing a routing service on your host (and possibly another in a VM, with all of the other VMs sharing a private network). Good luck -- that part of the map is labeled 'Here Be Dragons'.