keat63 wrote:
If I add a firewall rule allowing VPN to LAN, then RDP works.

That implies that some prior firewall rule (maybe the "default" rule) was blocking it...
... or perhaps your Router has some other type of VPN-access block set by default (I've seen it, for example, as part of the isolation settings for WiFi clients).

Which router is it :?:

keat63 wrote:
I expected that once a VPN was established, then the remote client was as good as if it were in the building ?

Not quite. Some things (broadcast-based applications) tend not to work at all over Draytek VPNs. It's something that's implicit in 'routing', but other brands include 'helpers' or proxies to alleviate this.

(I'm thinking of things like DLNA, or I.O.T. mobile apps - anything which is trying to communicate over your network, but doesn't allow you to enter a target IP address, and relies on discovering it).

keat63 wrote:
The default rule is configured to block, so could this then block RDP even though the end user is connected.

Makes sense to me

I've not tried using the "Default Block Rule" in anger - when I tried it, a billion things stopped working and I realised I'd need to add firewall rules for them all - so I backed out of it. In general of course, things from the outside-world are blocked by virtue of NAT anyway.

If you don't implicitly trust your VPN users, you could add your own 'Default block for VPN users' rule to the Firewall. You can probably identify VPN users by IP address range (or static addresses).