after more tests, it appears that the zone is partialy applied:
$ nmcli -f NAME,DEVICES,ZONE con status
NOM PÉRIPHÉRIQUES ZONE
WIFI wlp3s0 home
VPN wlp3s0 work
but
$ firewall-cmd --get-active-zones
home
interfaces: wlp3s0
when port 9000 is open in zone work only, telnet on port 9000 from the
other side of the vpn answers "no route to host"
when port 9000 is open in zone home only, telnet on port 9000 from the
other side of the vpn answers "no route to host"
when port 9000 is open in zone public (which is the default zone) only,
telnet on port 9000 from the other side of the vpn is ok
as if VPN was in fact in default zone…
Show replies by date