There are a number of ways to accomplsh this - but if it was me, I'd opt for a solution using IPTables
You could create a simple rule to allow from an IPSet (where you can define a list of acceptable networks: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/22) and block all others.
This approach takes load off the webserver and puts it onto the kernel and the network stack, where it's way more efficient.
Another approach would be to set up the webserver to ONLY listen on the VPN network device. That device only listening on the VPN network and not the public network would negate any requirement to block addresses, as the only addresses on the VPN network would be VPN clients.
Just some suggestions, there are more ways to do this - but these two would be the most efficient (least processor time required)