My next question would have been the one
@onur_can asked, which would have only led to further confusion when you answered as you did.
Did you install access or did someone from your IT group do it? My question is mainly based on the way it was installed. I am trying to remember what options for Access installation could cause a network "tap" when you launch with one of the "template" DBs that come up when you open Access directly. If you knew how it was installed, you might know if any options were designated as "run from network" as opposed to "run from disk."
Some IT shops get picky about running certain tools, so this might not be possible in your environment. If you have the ability to do this, there is a place to look that might be useful - and might not. Be sure that you can see the clock that is in the task bar (or if you have a "gadget", the time-of-day clock). Launch your slow DB. Note the time. Now exit.
For Win10, you need to click the lower-left window icon, then click the "gear" icon. In the "Find a setting" box, type "control panel". Find "System and Security" then get to "Administrative Tools." Open the Event Viewer. With funky Win10 there is no guarantee what comes up by default but look on the left "navigation" panel. Expand "Windows Logs" and you will see some number of log categories. I see 5 but it is possible based on other things you would have installed that you would see a different number.
One at a time, open the various logs and scroll through them for the time at which you launched your slow DB. They are time-sorted so it should be easy to find the right time frame. You need to find if there are any entries within 15 seconds of when you launched your slow DB. You are interested as much in seeing errors as you are in seeing a flurry of activity behind the scenes. It might be slow going to read through some events, but you might get some feel for what is going on. AND, since you say this doesn't happen if you have the VPN disconnected, you might want to view the logs a second time by repeating the launch without the VPN and see if you can tell the difference.
To my way of thinking, this is probably some sort of behind-the-scenes authentication but I'm guessing and freely admit I'm drawing blanks as to the specifics of what is being done. The admin logs MIGHT help decide that.