VPN + DNS-Enabler + Wide Area Bonjour = no success

DNS Enabler is a neat way to rough in a basic BIND configuration, but it is no substitute for knowing what you're doing. Its Bonjour support is really limited to a list of possible service types--the rest is completely up to you, and in the case of wide-area Bonjour, more trouble than it's worth since it doesn't work very well.

If you're connecting through a VPN, you shouldn't really need to do any of this at all.

First iTunes - iTunes will only browse and register services in the local (ie: ".local") domain. This domain only exists on local networks as it's substantiated by multicast-DNS. As multicast traffic won't traverse a VPN connection, iTunes sharing won't work in a Wide-Area setup. (Technically it is possible to proxy-register a service but it takes some mucking around).

On to the File Share - it showing up in Finder indicates that the DNS configuration is at least correct for browsing and registering that service. Not being able to connect to the service indicates that either a bad address has been entered for the service or that your NAT or firewall configuration is incorrect. Resolving this depends on your network topology. If you are establishing a VPN connection in to the network sharing the service, most likely you would want to enter the internal IP address of the machine sharing the service and not your DynDNS hostname as the services address. On the other hand, if you're not using a VPN you probably need to check that your firewall/NAT configuration allows traffic on port 584 from your external IP to the machine hosting the service's IP.

The advice above depends on your network topology - if it doesn't help you to get things working, please post back listing the IP addresses and domains involved. If you're not comfortable doing this, feel free to email me privately (see my website linked from my profile) if you'd like further assistance.

I think the problem with the current setup is the use of the DynDNS hostname for the AFP service's hostname. When you're connected via the VPN you are effectively on the same network and so connection's attempted to the external-IP recorded by the DynDNS hostname will fail as it's not possible to loop back (for want of a better description) through the router. If you add a new A-record to the zone that points to the machines internal IP address and then change the service to point to the new record it should work via the VPN.

iTunes sharing won't work via this method as iTunes will only register and browse for services in the ".local" domain. The ".local" domain (a top-level domain like ".com") is only available via multicast-DNS. Multicast traffic as a general rule is not carried over a VPN (or the internet for that matter) as due to it's broadcast nature it can quickly clog up and cripple a network.

Hamachi unlike most VPN solutions presents itself as a virtual network interface that can carry multicast traffic which is why iTunes sharing works over a Hamachi connection. A cursory Google search tells me that multicast traffic can be carried over a OpenVPN connection with some additional configuration - your mileage might vary though.

Wide-Area Bonjour works by adding an additional domain to the system that software can then use for registering and browsing services. Unlike regular Bonjour, Wide-Area Bonjour works over the internet as it's based on traditional unicast DNS with a few extensions for updating records in realtime and NAT-PMP or uPNP (one or the other is in pretty much every router) for automatically setting up port-forwarding. If NAT-PMP or uPNP is not available, services can still be browsed but can not be registered (only services that can accessed via the internet are advertised); it's for this reason that Wide-Area Bonjour won't work properly in concert with a VPN. Whilst most OS X software is written to just register and browse in whatever domains are available there are some like iTunes that only register in the ".local" domain.

You can find out more detailed information about these topics at http://multicastdns.org/ and http://dns-sd.org/. I'm happy to answer any further questions you might have either here or via email. If my Wide-Area Bonjour service sounds like a good fit for you, please drop me a note and I'll let you know when I open-up the service to new users again (slated for mid-March).