VPN as a temporary layer of security?

I have a startup working on Django app, that will be processing sensitive personal and financial information. We’re just finalizing a prototype of the product (no paying clients, no investors), so we’re under-staffed on a limited budget.

Our product is a B2B tool, the first users of the prototype will be just a few employees in 2 companies. As a temporary security measure, I am considering setting up a VPN for them and making the production servers inaccessible for public.

It was a pain in the ass to set up for me – OpenVPN server, routing, internal DNS, now HTTPS (not really needed but browses give warnings to the end user). It looks like it will be even more pain to maintain it.

Is a VPN something you would actually do to increase security of an application? Or maybe I’m overthinking and it’s generally safe to host Django apps in public (there is no open sign-up, only a login form is really public).

Can you recommend a step-by-step guide / checklist that I should go through before releasing a Django app to public?