VLANs are only useful within a shared L2 infrastructure. VPN is (usually) L3, so you route into the VLANs from the VPN tunnel endpoint (and vice versa, for simplicity I’m referring to the in direction only). The destination address is the L3 subnet, located in a VLAN.
For security, you filter by combination of source address and destination subnet (or address) between the tunnel and the inter-VLAN router. Of course, that implies that you trust the far tunnel endpoint, ie. you can be sure that the source IP has not been spoofed. If that isn’t the case you either need to use other means of user identification or multiple tunnels for the various trust zones.
Routing needs to be consistent, so that all routers on each tunnel side know where to route all subnets. Set up static routes or use a routing protocol like OSPF. In your diagram, the L3 switch and the right-hand router need to know the route to “Remote Device”. In turn, Remote Device needs to have routes for 192.168.1.0/24, 192.168.10.0/24 and 192.168.20.0/24 pointing into the tunnel. Additionally, the tunnel needs to be able to transport these destination addresses.