The only way to do it with consumer routers (ie gateways) is to let the NAT function protect you. You would plug the WAN port of this router to the Virgin media router lan port. Your stuff will then be as safe as anything behind a router on the internet...the rest of your housemates will be considered internet to your machines. If your were to use a commercial switch you could apply filter rules between the ports. Few if any consumer routers will let you apply rules for traffic BETWEEN the LAN ports.
Now comes the big problem VPN. Some VPN has trouble with some routers. You at the very minimum must be able to port forward to your stuff on the virgin box. Mostly you are going to have the issue that only 1 person can have the vpn ports forwarded. Next you must port forward a second time on your router to get to the real machine. Still after all this some forms of VPN will not pass though a router correctly. Your best bet is if you can get at ssl/tls type connection these use tcp and look like https sessions.
Now if you were to use a external VPN server and open HTTPS sessions with it then you could connect to that service and it would connect the tunnels. Things like teamviewer and gotomypc work that way. There are other vpn services that also work that way. You need no port forwarding to make this type of vpn work.