We want to expose a web-app over the Internet. The obvious solution is to make it available over HTTP with TLS and RBAC.
Would locking access down even further through the use of a VPN enhance security, and if so how? As I understand it, a VPN would certainly add hassle to use as the client would need a VPN client, and concurrent network activity might be constrained when connected to the VPN.
The solution greatly depends on your authentication method, and the user base. VPN access only is simpler to architect, however you may be exposing more of your internal network than you want to for these App users, and you WILL hear endless complaints from the users who now have to jump through at least 2 more hoops to connect and authenticate to the VPN.
You have to first figure out where you will be locating the server:
Then if it's for internal users only vs. external membership. There are many options for integrating with existing user databases, using Kerberos, NTLM, PKI, internal app auth (database), or web-server (.htpass/LDAP).
If it's for internal employees then Managed PKI through Verisign or Entrust might be worth looking into. This allows you to manage and deploy security certificates for Public/Private key authentication. You can put the server in a reverse proxy (mod_security) to monitor and filter out Internet attacks, then authenticate via the certificate (example). It's pretty expensive though.
If it's for public consumption, then standard HTTPS + LDAP is often the most economical choice. You can sync the LDAP roles database nightly etc. to avoid having to manage multiple sets of user accounts.
We actually chose to stick with the VPN for the first few phases of our web-app. We had enough control over user laptops to be able to support the overhead and maintain the security. Ultimately we'll go with managed PKI along with AD/LDAP sync. for RBAC. Good luck.
I don't think a VPN will add anything positive to your app's security.