Yes, it is configured to be a member of the domain but I log on locally rather than to the domain.

Yes, VPNUser is a domain user. I have configured it's properties (in ADUC) "Dial-in" tab to allow access, hence I can create the tunnel.

BTW, I chose to log on locally because that's what I'd envisage doing in real life. If I'm at home, I log on locally, connect to the remote server via the VPN tunnel and access remote resources. I'm surprised that I'm asked to authenticate when I try to access the shared folder. When I've entered the details on the second occasion, I can read/write the shared folder.