Ok, after some digging around and some tests, I think I found the solution. Can you try adding this rule to Network → Firewall → Custom Rules:
- iptables -t nat -I POSTROUTING -m tcp -p tcp -d 192.168.1.42 --dport 5900 -j MASQUERADE
At least in my tests, the end device didn't respond to connections to 5900 from VPN, until I added masquerading. Either this or add a route on VNC to the VPN subnet. Not sure what the system is but if it's Linux, you can add the necessary route like this:
- ip route add 10.8.0.0/24 via 192.168.1.1
(Replace 192.168.1.1 with the router's LAN IP address if it was changed from default.)