diff --git a/dev-docs/howto/vpn/helm/README.md b/dev-docs/howto/vpn/helm/README.md
index 08b25e4020..20d628a39c 100644
--- a/dev-docs/howto/vpn/helm/README.md
+++ b/dev-docs/howto/vpn/helm/README.md
@@ -26,12 +26,6 @@ Ask CoreDNS about its own service IP:
 dig +notcp @10.96.0.10 kube-dns.kube-system.svc.cluster.local
 ```
 
-Ask the Kubernetes API server about its wellbeing:
-
-```sh
-curl --insecure https://10.96.0.1:6443/healthz
-```
-
 ## Architecture
 
 The VPN server is deployed as a `StatefulSet` to the cluster. It hosts the VPN frontend component, which is responsible for relaying traffic between the pod and the on-prem network, and the routing components that provide access to Constellation resources. The frontend supports IPSec and Wireguard.
@@ -48,6 +42,7 @@ The service IP range is handed to a transparent proxy running in the VPN fronten
 * IPs are NATed, so the Constellation pods won't see the real on-prem IPs.
 * NetworkPolicy can't be applied selectively to the on-prem ranges.
 * No connectivity from Constellation to on-prem workloads.
+* No connectivity from on-prem workloads to host network pods (e.g. k8s api server). The reason for this is currently unknown.
 
 ## Alternatives