@Goggy
Yes, I use Tinc for this scenario as well. I have several work computers behind nat, and at another location, a router running tinc that is nat'd behind a 2nd router over which I have no control. These devices connect to other mutual nodes, which then do the UDP hole punching so all the devices can create direct links.
Now the UDP hole punching is done at the time you attempt to make a connection between two nat'd nodes, so it may take a few seconds for it to be set up. Whatever you're doing may timeout the first time, but should be accessible soon. It's usually pretty quick though.
If you're concerned about the laptop accessing your home network, there is a custom firewall area that allows you to define additional rules, or your own complete set of firewall rules (manual). Manual means you have to handle all the rules, including opening the ports on the router. For your scenario, additional rules should work.
Additional rules are appended to the firewall script, so we know if we insert an iptables rule, it will be at the beginning of the chain, and will be evaluated first.
I set up individual computers with a single IP address, ie 192.168.50.1/32.
Something like this I think will work, using the VPN IP address of the laptop.
Additional
Code:
iptables -I INPUT -s 1.2.3.4 -j DROP
iptables -I FORWARD -s 1.2.3.4 -j DROP
You can give that a shot and see how it fares.