hmmm I see, well there have been some cool questions about apis you can search it.
hashnode.com/post/what-are-some-best-practices-fo…
hashnode.com/post/what-are-some-common-mistakesan…
hashnode.com/post/what-is-your-process-for-design…
about the VPN I would go there after you mastered the other thing unless you know an admin who can help you because this can be pretty frustrating if you're not familiar with networking.
the MIM thing is the classic OAUTH model where you basically take the
sha256(user-api-token + content + secret salt)
or if you wanna be "more" secure you split the content in 2 parts and add the salt in the middle so it's more complex but this is not really needed.
so you send the token, the hash in the http header. on the api side you check if the token is valid, if the sha256(user-api-token + content + secret salt) hash is still the same (so you know no one altered the content) ..... i would just take an oauth implementation there are loads of them outside.
I hope those are good starting points :)