Uff. Well, you muddied =)
Option one - a proxy is raised on the NAS, for the entire NAS the main gateway is the far end of the VPN tunnel. According to this scheme, you connect to a proxy on the NAS, which sends all traffic to the tunnel, and then it depends on the tunnel settings.
Option two - a proxy is raised somewhere, you connect to the NAS on which port forwarding is made, to the same proxy.

And if you do this:
1. On a NAS with Ubuntu Server 14.04 installed, an openvpn client is configured to a remote server. Now all traffic from it is wrapped in a vpn tunnel.
2. On the working machine, run ssh in Socks-proxy mode:
habrahabr.ru/post/122445
We get the opportunity in the same browser to specify the local port to which ssh sock-proxy is forwarded as a proxy.

You asked and answered yourself =)
0. You just have a router at home, without any vpn-s.
1. Somewhere remotely there is a vpn server.
2. US is a VPN client for a remote server (through your regular router). All outgoing traffic from US to the Internet goes only to the VPN tunnel (the home network 192.168.0.0/24 is not touched).
3. A squid has been raised on US, the rules are allowed to serve your internal LAN.
4. On devices that require VPN access, you simply enter the NASA IP (proxy).
Of course, there are disadvantages:
In the VPN tunnel, you can send only applications that can work through a proxy, or all traffic from a specific device (for example, all phones can be sent through VPN by default). But we need to tweak a bit.
But if you take the information from your question, this will not be a minus.