At the moment Roon requires that all components (Core, Control, Output) be on the same LAN.
@brian mentioned some of the issues arising from port forwarding in this post.
The devs have indicated that distant access is on the roadmap and the proposed solution is unlikely to require a VPN.