If you get a reverse proxy setup all you need is port 80 and 443 and configure it it’ll expose the services that you want to be exposed through the subdomain Personally I’ve got Traefik service sitting on my media server and anything I want to expose goes through it .it has the details for the connection to cloudflare and so long as I direct it properly both on the container side and Traefik it’ll run as expected. The idea is if you go to say jellyfin.example.com cloudflare will direct that at at your reverse proxy(nginx in this case) which then redirects to the right machine/container because you entered from “jellyfin” .
The VPN gluten it is another container that will have the login details to your provider .
I’m still working my way through the self hosted rabbit hole myself, however I used a combination of Google and this sitehttps://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/ The entire site not just the specific article linked . As well as https://trash-guides.info/
https://www.smarthomebeginner.com/traefik-docker-compose-guide-2024/
Updated version of the guide