I found the solution in this thread on serverfault.com https://serverfault.com/a/450862
I'll cite MDMarra's answer here:
No. You can't install third party services like a VPN client on the hypervisor.
This is what you need:
A management IP address for ESXi itself. This can be public, or it can be private, as long as you can reach it to manage. If it's public, make sure it's firewalled off well.
A VM to act as a VPN gateway (OpenVPN, pfsense, RRAS, whatever)
At least one public IP address for a VM to act as the VPN gateway.
A public vSwitch that has the public interface for your VPN gateway VM.
A private vSwitch that the rest of your "private only" VMs connect to.
You'll connect your VPN VM to both vSwitches and configure routing through it. This way, you'll tunnel to a VM that has access to both the public network (so that you can VPN into it) and the private network so that your VMs aren't exposed to the outside world unnecessarily and you won't need public IPs for all of them.