This is splitting nits, but since your AirPort Extreme is running in bridge mode, it's not acting as a router. IMO, it'd be more correct to say "So I have an AirPort Extreme as my WiFi access point" (not router), since your Comcast box is actually doing all of the routing for your network.
VPN doesn't have to run on the router. Since you have a Synology NAS... Synology makes it very easy to install and configure OpenVPN (as well as reverse proxy, if interested). Synology also regularly updates those apps (along with issuing system patches), so IMO it's one of the safer platforms to use for these features. This will require port-forwarding (one port for OpenVPN, and another port if you're interested in a reverse proxy) from the Comcast router over to the Synology box, so as long as you're able to do that, this shouldn't be too difficult.