Have a look at Let's Encrypt DNS challenge. I created a DNS wildcard certificate for a subdomain I own and use it for all my internal domains. A great way to get HTTPS on non-public networks.
HTTP over VPN is still weaker than HTTPS over VPN. For example HTTPS also handles authentication which HTTP doesn't. If you're outside of your VPN, a MitM could redirect you to http://my-internal-domain.example and resolve its DNS to an attacker's website. Your browser would not understand the difference between this and your actual website in your VPN. It would send all the site's cookies to the evil website, and if Service Workers[1] worked over HTTP, this would actually be a way to completely compromise an internal HTTP website. So it's important not to whitelist such HTTP sites as if they're secure.
This is generally the best way, as it allows you to use things like client certificates or some other form of authentication to enforce AAA, and reduce the requirement of using VPN (which itself increases the security as it reduces the number of holes in your network)
Of course it's still unsecure from your proxy to the device, but that's a more managable risk
Also note that with DNS01 challenge you can add multiple wildcard domains under one certificate. There is a limit of total domains in a certificate but I still find it interesting and helpful.
HTTP over VPN is still weaker than HTTPS over VPN. For example HTTPS also handles authentication which HTTP doesn't. If you're outside of your VPN, a MitM could redirect you to http://my-internal-domain.example and resolve its DNS to an attacker's website. Your browser would not understand the difference between this and your actual website in your VPN. It would send all the site's cookies to the evil website, and if Service Workers[1] worked over HTTP, this would actually be a way to completely compromise an internal HTTP website. So it's important not to whitelist such HTTP sites as if they're secure.
[1] https://developer.mozilla.org/en-US/docs/Web/API/Service_Wor...