"2.5 Performance" is a long section with various ways your app might violate this clause. In no part of it does it specifically mention VPNs. So you're going to have to a bit more specific here.
I can assume that your app falls under this part of 2.5.1:
> Apps should use APIs and frameworks for their intended purposes and indicate that integration in their app description. For example, the HomeKit framework should provide home automation services; and HealthKit should be used for health and fitness purposes and integrate with the Health app.
So you're running a VPN using the NEVPNManager API, and I'm guessing your app does something such as monitor traffic or speed or something like that by routing all traffic through a VPN so you can "listen in" to get your reports.
Apart from appealing the ruling, I think maybe if you could be more specific as to what your app is collecting and why, someone here might help with figuring out an alternative way of doing that so that you can get your app back in the store.
I can assume that your app falls under this part of 2.5.1:
> Apps should use APIs and frameworks for their intended purposes and indicate that integration in their app description. For example, the HomeKit framework should provide home automation services; and HealthKit should be used for health and fitness purposes and integrate with the Health app.
So you're running a VPN using the NEVPNManager API, and I'm guessing your app does something such as monitor traffic or speed or something like that by routing all traffic through a VPN so you can "listen in" to get your reports.
Apart from appealing the ruling, I think maybe if you could be more specific as to what your app is collecting and why, someone here might help with figuring out an alternative way of doing that so that you can get your app back in the store.