diff --git a/dev-docs/howto/vpn/helm/README.md b/dev-docs/howto/vpn/helm/README.md
index 08b25e4020..1e8e3d11d3 100644
--- a/dev-docs/howto/vpn/helm/README.md
+++ b/dev-docs/howto/vpn/helm/README.md
@@ -48,6 +48,7 @@ The service IP range is handed to a transparent proxy running in the VPN fronten
 * IPs are NATed, so the Constellation pods won't see the real on-prem IPs.
 * NetworkPolicy can't be applied selectively to the on-prem ranges.
 * No connectivity from Constellation to on-prem workloads.
+* No connectivity from on-prem workloads to host network pods (e.g. k8s api server). The reason for this is currently unknown.
 
 ## Alternatives