when I am connected via VPN, can the client monitor what I am doing on my machine
It depends on what they actually installed, and on how the VPN client is configured.
A normal VPN client doesn't transfer information about what you're doing in general – the server doesn't know that you're editing a file, and it doesn't know which file you're editing.
But it does handle your network traffic (obviously) and a lot of information can be determined from that traffic. For example, the VPN server's administrator can know if you're using TeamViewer (but not the actual data – that's encrypted), or if you're watching YouTube (but not the actual video URL – that's encrypted), or if you're sending an email (but not the actual email contents). In other words they'll see everything that your ISP would see, but usually nothing more.
So first, a VPN client can be configured to either route all traffic through the tunnel, or just specific traffic. (It is very common to use VPNs which connect only to school/company networks while leaving everything else untouched, aka "split tunnel" VPNs.)
If the client is honest (and not lazy), they can configure the VPN to only catch traffic to that client's servers, and nothing else. However, they can also configure the VPN client to capture all your traffic (or just traffic to their competitor's website, etc). Of course, enabling the VPN for all traffic is not malicious in itself at all, but it does allow your client to monitor you.
And in your case, "My IP address is different when I am connected to their VPN" is a strong indication that everything goes through the VPN.
But second, you're not 100% sure whether they installed just a VPN. They could have installed other software, e.g. something that specifically logs all your browser visits or tracks which program is currently active.
Can I prevent the client from monitoring my other tasks?
You allowed the client to install software on your computer – you've already lost.
It is possible to use a VPN for connecting to the client's network while still remaining safe; however, exactly how to do this depends on what VPN client you're required to use.
For a start, you would need to download and configure the VPN client yourself from provided information (instead of letting the client do it), and you would need to make sure the VPN client doesn't have any "remote provisioning" features which would allow it to locally install more components.
If in doubt, only install any client-provided software to a separate machine (maybe a VM) – never to your main computer.
3any way that I can prevent the client from being able to monitor, since I use this machine for projects multiple different clients – Neal – 2019-09-23T13:25:44.307
@Neal that's a separate question, but one way to ensure that tools of (and for) one client don't trample on another is to use separate virtual machines; e.g. in various security use cases it would not be uncommon to do all the sensitive stuff (including VPN setup) from an isolated VM that's used for one client only. – Peteris – 2019-09-24T08:23:31.040
7Different idea. if you do separate projects in the same computer, use a virtual environment for your this specific client and install vpn inside that virtual environment – Vishwa – 2019-09-24T09:23:00.873
Good question, good topic. I would suggest to move to Security SE. Welcome to SU – usr-local-ΕΨΗΕΛΩΝ – 2019-09-24T11:26:17.443
8
The client has installed a VPN
-> readThe client has touched my machine
-> ergo the client has potentially control over your machine. And could be reading my comment here – usr-local-ΕΨΗΕΛΩΝ – 2019-09-24T11:28:58.697@CaldeiraG Way oversimplified. I have an OpenVPN connection to work and my routing tables in Windows are set up in such a way that the OpenVPN connection is only used for very specific IP ranges. It just depends on how the whole thing is set up. – Voo – 2019-09-24T13:39:24.123
@Voo all the answers here explain my comment. It depends how the VPN is configured. – CaldeiraG – 2019-09-24T13:44:13.593
1@CaldeiraG Hence why a simple "yes" is wrong. – Voo – 2019-09-24T13:46:14.507
@Voo i made that comment on the first revision of the question (first question). I replied on the comment as yes, soon after, grawity posted a really good answer on that. While you can configure your VPN to only specify " very specific IP ranges" most of them are by default routing all the traffic. – CaldeiraG – 2019-09-24T13:52:50.597
Comments are not specified to answer anything complex, there is 3 answers already doing the job. – CaldeiraG – 2019-09-24T13:53:50.623
@Vishwa excellent suggestion - one VM per client as required. – Criggie – 2019-09-24T19:33:24.210
6@Voo: The OP says that the VPN was installed by the client. This at least hints at the fact that the client had administrative access to the machine for at least a short while. If that is true, this means the machine should be considered compromised and nuked from orbit. Rule #0 of InfoSec: if someone had, even if for a very brief moment, physical access or administrative to your machine, it is no longer your machine. – Jörg W Mittag – 2019-09-24T20:26:17.273
2@Jörg Sure that's the paranoid answer which works for everything. But then: By that argument everybody whose computer is not air gapped must be considered compromised as well (I'll take the bet that there's been a zero day exploit discovered since after you plugged your PC in). You always have to consider your threat vectors and "intentionally malicious client" wouldn't worry me personally in most circumstances (unintentionally stupid configuration on the other hand? Very likely). – Voo – 2019-09-25T08:06:47.100