I would expect the VPN to support access to the RAC servers' public/static IPs, virtual IPs, and SCAN IPs.
In addition, a VPN client needs to be able to resolve the hostnames for these IPs, to the relevant IPs.
It turns out the problem is at the network level. Each remote RAC server was granted permission thru an encrypt map ACL. Oracle Support suggested to merge all those ACLs into one using subnet and it did solved the problem.
A strange thing: I replicated both situations on my network with separate ACLs and merged ACL and both worked. The only difference is my replicated network has no RAC servers so I was thinking it might relate to the RAC configurations.