You have to question the security of the VPN though. You also have to question the security of the router and it's patch level. Then there are the complication with VPNs, IP address ranges, network address translations, public/private internal, global, external. I know that your router will take care of this for you, mostly. Then every device you want to access this from has to have the VPN software installed with the correct keys etc.
A common-or-garden router will have known exploits, including in their VPN components. As there will be (potentially) millions of these devices out there automated bot net scanners will be looking for them.
I do have an understanding of most of what is running on a PI and at start up from default it's fairly light on processes and nothing on there concerns me greatly.
Using a firewall beyond your router is a paper screen, you still have to ultimately forward the port.
Apache (httpd) is fairly benign as long as you don't do anything stupid in it's config and keep it updated.
If you run a telnet daemon and forward the port to it, all bets are off.
If you are really paranoid, then DMZ the PI. Add it on a separate address range and put a firewall between it your LAN. But really there is no need.
It also depends on what you are running on it. If you are running some form of controversial, activist, semi-illegal, aggrevative or hacker/security blog then you might be a prime target for specific attack. If you are running a hobby server that won't offend anyway and won't even get listed on google searches then people have better things to hack.
Never, ever challenge hackers. They thrive on that, "Your secure? Really? Watch this."