I wrote before that a mounted Truecrypt container is analogous to an un-encrypted file or drive. This is mirrored by other encryption schemes, and one safeguard against the implied problem is to keep an encrypted zip type file, that enciphers the data while it accumulates it, while requiring plaintext to be extracted for each and every use.
Some thumb drives used to come with an application like that. It is sort of the inverse of the free “un-rar” program Rarzilla. Possibly the primary weakness to this scheme is to subject snapshots of the accumulator to contrast the changes, as if they were two messages enciphered with the same password. I speculate that it was for this reason, that the utility with which I am familiar (I cite human frailty – I cannot remember the name of it,) had no way to change the password, once it was set.
For example, a VB form where every file dragged into it was enciphered for storage, without any password entry, would accumulate data in a satisfactory way for the above example.
This model would behave differently, when expanded to a LAN than on a VPN, where traffic would be subject to additional scrutiny. We could speculate that whatever mechanism solves any difficulties in scaling the solution to a LAN, might be adapted recursively to solve similar difficulties with a VPN.