incoming VPN with double nat

Hi all.
I have a rb2011 behind the NAT of a tplink VDSL router.

Right now I’ve opened ports for some surveillance cameras, but now I’ve also a home alarm with a mobile app and a small fileserver, but I don’t feel confident having too many devices that are “facing the outside”.

So I was thinking about an incoming VPN, to avoid many ports forwarding and dumb devices facing the outside network.
Am I wrong?

There are generic tutorials, but no one talks about doing a VPN “to go behind a NAT” … Do you have any idea?

If you want access to those devices only for yourself (or selected group of people, i.e. not everyone on internet), then VPN is good idea. Just choose the right type of VPN, configure it, forward required port(s) from TP-Link to RB and that’s it.