|do you know what a false positive is?|
You are assuming because your vpn works [and I don't know how if would on the lan which is what you are saying] that rdp should work because vpn does.
Think about this a second. Can you bounce from your routers wan port back to the local lan?
of course not.
the lan packets would be dropped [if they made it to the wan interface] since they would not be directed to the gateway.
Remember now that in routing the gateway is the choice of last resort. No one answers locally so lets shove it out the gateway and hope someone answers. This is a basic of routing.
Have you tried your vpn from somewhere else than your lan?
What happens if you do your rdp from ip instead of name?