I'd say that it depends on how you have the vpn set up; most particularly what FW software/hardware is being used? If you're running CheckPoint, then simply putting a rule on each firewall with source 'any' and destination 'his-apartment-net' and the action 'drop' then that should do it. (you may have to open up some stuff like icmp if he needs to ping etc.) A similar thing can be done with NetScreen and those are the two platforms with which I'm most familiar...