You have several options. One is to use ssh's built-in port forwarding mechanism. For example, adding -L 1235:remotehost:1234
creates a local TCP listening socket on port 1235. When your local application connects to that port, the connection will be forwarded (securely via ssh) to port 1234 on remotehost.
To create a VPN, I suggest using openswan or libreswan to simplify the configuration. Here's what a configuration looks like:
https://libreswan.org/wiki/Host_to_host_VPN
With a VPN, there need not be a central "server," as you suggest. Instead, it's just a set of encrypted tunnels between peer systems.
You can also set up a VPN manually with the "ip tunnel" and "ip xfrm" commands to set up point-to-point links between your systems that are protected by IPsec.