This is not strictly true, you can either run it outside or inside of the vpn, the trick is getting the VPN_OUTPUT_PORT correct, i run reader on the default bridge and prowlarr is inside a shared vpn network, here is the magic, from my setup:-
Keep in mind prowlarr communicates with reader, thus the port is defined for VPN_OUTPUT_PORTS