I’m not sure if I understand the question correctly. In a distributed setup, the master site uses livestatus to connect to the slave site. The default destination port on the slave is 6557/tcp, but can be configured via omd config on the slave. So if the master can connect to the slave directly, then you don’t need a VPN.
Since Version 1.6, this livestatus connection can optionally be encrypted. With new sites, encryption is enabled by default while for existing sites you have to enable it manually.
Yes, besides the livestatus connection, the master also connects to your slave on http(s) port. If this port can’t be reached directly, then you could use some method like VPN, stunnel, ssh tunnel, even reverse ssh tunnel, … to allow that connection.
And of course, you can use firewall, packet filter, ACLs, tcp wrapper, … any method you like … to allow https access to the slave only from the master, not from “the WWW” 
As always, it depends on the network setup and the security requirements. For example, see this discussion for hints on establishing the connection in reverse (from slave to master).