What kind of firewall do you have? (Not on the VM, though something similar might work there also)
I use OPNSense and have an allow rule for the specific IP and port my VPN uses from that VM’s IP. Then a block everything from the VM IP after the allow.
I can connect to the VPN no problem, updates and everything work through the VPN. When it goes down it trys to connect normally and fails.
DNS can be a problem when trying to connect to the VPN so make sure to use the IP
A PI will not be powerful enough to run Plex. For one person with direct play maybe but I’d suggest a lenovo tiny or something like that. Old desktop would be fine too.
If you want to transcode 4k or have a lot of users, a desktop+video card is recommended