There’s an internal ip address for the VPN server, say 4.3.2.1, you point the http dns record to that address.
The VPN server has 2 addresses by definition, an internal address and an external, public one that you connect the VPN to. Make sure the webserver only exposes itself on the private address, either by configuration (nginx/apache listen address) or by firewall (iptables -A input -j DROP)