My experience is many VPN's just don't like TFTP... usually something about MTU size which many like to reduce to 576 or 900 bytes for some reason instead of the standard ~1500. This is one of the reasons we have gone to using Meraki almost exclusively since it has no issues with TFTP for site to site VPNs (I am sure there are others, but this was just what we selected years ago).
Usually the best bet is like Tech Electronics said is take the phone to the main location so that it can update it's firmware locally, then take the phone back to the remote site and when it boots up it will just check and see it's firmware is current and skip the TFTP process. A good solution until you upgrade the controller next time at least.
The other option if you have proper port forwarding at the 5000 location, is put the phone in TW mode and point it to the public IP, that can work better for TFTP.