Ah OK, I think I misunderstood what you were attempting to do.... I thought you were hosting your own VPN service on your RPI and allowing connections from the Internet by port forwarding through your router, then connecting to that VPN from another device.... my mistake.
So, let me check if I've understood this correctly now, are you:
a) connecting to an external VPN provider out on the Internet with your RPI and then on a separate device connecting to the same external VPN provider and trying to access services hosted on your RPI using the 'private' VPN IP address (10.187.1.6) of your RPI?
b) connecting to an external VPN provider out on the Internet with your RPI and then on a separate device trying to access services hosted on your RPI using the RPI's 'public' VPN IP address (126.96.36.199)?
I have some follow up questions/comments, depending on which scenario above is correct....
If a's correct:
Does you VPN provider allow connected clients to actually communicate with each other? I'm guessing they probably don't as (AFAIK) most VPN providers are generally there just to mask your external IP address by NAT'ing your client connections to one of their public IP addresses. It may be that your VPN provider isolates clients from each other, thus preventing you from accessing the RPI even though you're connected to the same VPN.
If b's correct:
I would guess your VPN provider won't be accepting incoming traffic to their public IP (188.8.131.52) and almost definately not on the well known VNC/SFTP ports.
As for why some things work and don't work:
Clarifying what access works:
with VPN NOT RUNNING - VNC and SFTP both work using the ISP assigned IP number via successful router port forwarding.
That's good, at least it proves that VNC/SFTP are configured and working, also a good starting point!
with VPN RUNNING - I can't reach the RPI by using either the ISP assigned number or the VPN's IP number.
I've covered why I think you wouldn't be able to do this using the VPN's IP address, however, I think this might be failing when using your public ISP assigned IP address because of the routing table changes that the VPN client makes on the RPI which, if I've read it correctly, tell your RPI to send all network packets (except those destined for 184.108.40.206) to the VPN adapter, therefore when a connection request comes to your RPI having been forwarded by your router (and therefore having a public IP address as the source address), the RPI's response is sent via the VPN adapter instead of eth0.
This could be confirmed by posting the output of the "route" command before and after connecting to the VPN on the RPI to show the state of the routing table.
regardless of whether the VPN is running I can always successfully connect to VNC across the LAN using 192.168.0.202
I suspect this works (and I'm totalling guessing here) because the network packets come from the same subnet as the RPI (so have the 192.168.x.x address as the source address), as opposed to when they are forwarded from your router where they have a public IP address as the source. I'm guessing that the kernel treats these differently when creating the response packets and selecting the interface to use (I won't go in to more detail on this because I've already harped on for long enough now!).