Imagine your computer is a big block of flats and your applications are all people who live in the building.

Mail sent to the building address alone isn't going to reach the intended recipient, because the postman doesn't know what flat to post it to. So they need additional information such as 'Flat 2C'

That's the basic concept of ports. It's basically additional addressing information to allow your computer to direct internet traffic to the correct applications.

When an application is actively listening on a port, it means that they are keeping an eye out for messages addressed to them, as designated by the port number. While an application is sending or receiving messages using a given port number, that port number is considered 'open'.

Now, all sorts of applications do all sorts of things. Some are for the public to use and some that are useful within trusted circles, but can be abused by malicious people if anyone in the world can send messages to it. Thus, we have a firewall, which acts as a gatekeeper. A firewall can 'block' a port, denying access to a given group of people, or 'unblock' it, allowing access.

VPNs are a totally different thing. They are literally middlemen for your internet traffic. Instead of directly posting a message to somewhere and receiving a direct reply back, imagine you flew out to Italy to use a post box there and receive replies from there.

To add to your analogy if i may, the firewall is kind of like a security guard or doorman at the building entrance. All mail has to go through him first and if something is addressed to a closed flat (port) he simply doesnt let it get delivered.