I need your help to sort this out!

The situation:
- A BM 3.7 sp3 server on Netware 6.0 sp3, which is also Master Server of the
- The server has two NIC's: one serves the private interface (
mask FF.FF.FF.0), the other serves the public interface (aaa.bbb.ccc.ddd)
- Dynamic Only NAT enabled on the public interface
- A VPN Tunnel interface has been configured (192.168..70.2 mask
FF.FF.FF.0), as requested by VPNCFG
- No Slave Servers at the moment; in the future, they will belong to the
same LAN (192.168.0.x mask FF.FF.FF.0)
- VPN Client workstation can connect over the Internet through an ISP and
authenticate to the server; login starts and never finishes; can ping all
the servers in the LAN and no other machine

The problem:
- What else should be done in order to login to the Master Server?

I have read many messages and TID's on this subject, but I confess I got
somewhat confused.
I have grasped the idea that some NATting involving the Tunnel address is
required, but I think I need some expert's advice.

Thank you in advance!