I'm a bit nervous about jumping in here but I don't see that what Chris wants to achieve is particularly unreasonable: remote access to the webserver on a Linux box that is "somewhere with an Internet connection", making as few assumptions as possible about that Internet connection, and doing it securely. I frequently need something similar myself[1], although with different criteria.
As an example, I have one system on a site which is connected via a site network which connects to the Internet via satellite. Ie (Internet) -> (Satellite Router) -> (Site Router) -> (My Draytek router) -> My kit. Setting up port forwarding through there is not "fun", if indeed it is even possible, and it would be a solution that only worked there and not "in general". Generally 3G connections in my experience are not routable - usually I get a 10.x.x.x "external" IP address from the 3G provider which I have zero chance of port forwarding to.
OpenVPN seems to be the best FOSS solution for the general case (getting "remote box with Internet connection" to connect to a known VPN server). Limiting that so that Chris can go through it to the web server on the remote box, whilst preventing anyone with physical access to that remote box from getting through to anything else on the VPN, may or may not be easy but it's beyond me. That said so is getting OpenVPN working in anything beyond simple test cases (I'm sure that's me not OpenVPN).
[1] The best solution I've found is free beer only: https://secure.logmein.com/labs/#HamachiforLinux - but I don't think it would do what Chris needs security-wise otherwise I'd have mentioned it before.