Subnets for organization and VLANs for security.
When you say that you only want some users to be able to hit your webserver, do you intend to limit by IP address, or are you going to put some devices in on VLAN and others in another and limit access by your VLAN intrarouting rules?
What is your goal with Squid? What do you need a VPN for? For endpoint to access the web server remotely? What you’re actually trying to accomplish will determine if it will help or not.