You don't want to forward all traffic. You can do SNAT port forwards across the VPN, but that requires the clients in your LAN to use the VPS as their gateway (I do this for a few services that I can't run through a proxy; its clunky but works well).
Typically, you'll want to proxy requests to your services rather than forwarding traffic.
- Setup Wireguard or OpenVPN on the VPS as a server VPN. Allow whatever listener port in the firewall (I use
ufw
on Debian, but you can use iptables if you want) - Install HAProxy or Nginx (or Nginx Proxy Manager) on the VPS to act as your frotnend. Those will listen on ports 80/443 and proxy requests to your backend servers. They'll also be responsible for SSL termination, and your public-facing certs will be set there.
- Point your DNS records for your services to the VPS's public IPv4
- On your LAN, configure your router to connect to the VPS as a VPN client and route into your LAN from the VPN subnet -or- install the VPN client (WG/OVPN) on each host
- In your VPS's reverse proxy (HAProxy, etc), set the backend server address and port to the VPN address of your host
I've done this since ~2013 (before CF tunnels were even a product) and has worked great.
My original use case was to setup direct connectivity between a Raspberry PI with a 3G dongle with a server a home on satellite internet. Both ends of that were behind CG-NAT, so this was the solution I came up with.