Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.
The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.
Such a setup would look like this:
______
_( )_ a +---------------+ b c +----------------+ d +--+
(_Internet_)-------|router provider|------------|internal router |-------|pc|
(______) +---------------+ lan1 +----------------+ lan2 +--+
| e
+------------+
| web server |
+------------+
a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.
On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.
c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).
On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.
An example on what this might mean for the subnets and IP addresses:
Provider router
WAN: 83.163.211.192 (as the provider gave me)
LAN: 192.168.178.1, mask 255.255.255.0
portforward: 80 and 443 to 192.168.178.10
Web server
IP address: 192.168.178.10
netmask: 255.255.255.0
def. gw: 192.168.178.1
Internal router:
WAN IP: 192.168.178.254
WAN mask: 255.255.255.0
WAN GW: 192.168.178.1
LAN iIP: 192.168.1.1
LAN mask 255.255.255.0
dhcp-enabled
You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.