AWS: Subnets vs Security groups for setting up a VPC
First Question - Security
Security groups are a firewall that runs on the instance hypervisor. Network ACLs are a firewall that runs on the network. You can use either, or both. In theory a NACL reduces host load, but it's likely negligable.
Security groups are stateful, so return traffic is automatically allowed. NACLs require firewall rules for each direction to be specified, including ephemeral ports. Security groups are therefore easier to use.
In your case I suggest you add a security group rule that allows access from your /32 IP for every protocol you require. The IP goes into the rightmost column.
Second Question - VPN
OpenVPN doesn't change the IP address of anything, it can be thought of as a gateway. Your computer connects to the EC2 instance, when then has any access that the EC2 instance has. If we know what you were trying to achieve with a VPN we may be able to give better advice.
Given your updated requirements, I would probably use an EC2 server in a public subnet as a VPN terminator and NAT instance, and a private instance EC2 in a private subnet. Your NACLs and security groups would be set up to allow outgoing internet access via the NAT but deny incoming connections other than from the VPN instance.
I'm not sure if a single instance can be VPN terminator and NAT. I suspect it can.