If you're the only one accessing those services, then why use a VPN instead of port mapping those services to localhost of the server, and then forwarding that localhost port to your client machine's localhost port via SSH?
I am in the same situation with the grandparent. I don't even expose the SSH port to the outside. The only port open is the UDP port of Wireguard which allows only the packets signed by the correct key. Everything works perfectly, no issues with NAT, I even give my mobile devices an IPv6 that my ISP allocates.
Tunneling through SSH is significantly worse because you encapsulate a TCP connection inside a TCP connection and it's userspace.
I have also set up wireguard but I changed my model and only use to troubleshoot.
The reason is privacy. I use VPN to obfuscate my IP which means I would have to VPN my entire network. Unfortunately this has proven surprisingly difficult to do properly, meaning with appropriate performance (MTU), IPv6, no blocking (exit IP reputation), etc.
Hence I switched to Argo/cloudflare tunnels for pretty much everything.
