Personally I would do it the other way round. Provide an mqtt broker in the cloud and connect to it from your local system. It is much easier to make an mqtt broker secure than it is to make your network secure.
To clarify that, I am suggesting running node-red locally to fetch the data from the opc ua server and publish it to MQTT in the cloud, which is then picked up by the node-red server also in the cloud.
You said a VPN in the router, so that will depend entirely on whether the router you have or get has a VPN capability, and how secure and regularly updated it is.
If you are looking at setting up a VPN in a server in your network then don't do it unless you are confident that you understand the risks and are confident you can address them.
There is a lot we don't know here and this is not a security forum.
You need to be thinking about that local network, who it belongs to, who manages it, what valuable information it may be connected to and so on. Simply extending a network (which is what a VPN does) to/from the cloud is generally a really bad idea unless you have given serious thought to the consequences.
Much better for example in many cases to create a specific REST API or, if needing constant updates, as Colin says, using MQTT as the intermediary.