Personally i use wireguard protocol but using PiVPN installed directly on the Raspberry (not a container) that i use for Docker services. Yes, it required an open port on router and (for me) a DDNS that update my dynamic ip.
You can try Cloudflare tunneling, i read an article some days ago that explain how is more reliable than DuckDNS (a DDNS service) in maintaining the connection to the VPN BUT you will need to buy a domain for it.
My 2 cent, try Tailscale:
- is free (at least for the first 100 devices that you connect)
- you DON'T need to open any port on the router
- the configuration is simple enough
- if you have concern on the privacy of tunneling your data on someone else server, you can try to self-host it (the self-hosted version is called HeadScale and all the app of Tailscale are compatible with it, you had to change only the pointer to your server)
Contabo is doing great discount for Black Friday just now, with no setup fee (for both VPS and VDS) and 1 tb ssd (for dedicated server)