Hardened NextCloud Deployment [Possible with my Scenario?]

I’m trying to figure out if I can accomplish a hardened Nextcloud deployment using VPN to circumnavigate ISP’s CGN and a lack of a private IP. I’ve spent hours researching and haven’t gotten anywhere.

Objective
● Deploy Nextcloud 13, hardened, and accessible at domain: DOMAIN.com
● I don’t care how I get there (likely Ubuntu VM), but of course pf is heavily involved.
● I have two issues: (a) I can’t connect the internal Nextcloud IP to DOMAIN.com and (b) I can’t use certbot to obtain SSL
Scenario / Constraints
● ISP
○ Single provider available to all units in condo building, cost = HOA dues pass through
○ Static IPs offered @ $20/month (which I can’t bring myself to do for a number of reasons)
○ Ethernet to structured media enclosure, no modem to place in bridge mode, etc
○ CGN being used
● VPN
○ Provider = TorGuard / Port Forwards offered if port > 2048
○ OVPN Client #1 = TG_Static = Shared Public IP w/ port forward
○ OVPN Client #2 = TG_Dynamic = All other traffic
○ Why?
■ TG_Static was set up as a test case / future use to facilitate the objective
■ Port 32400 Forwarded via Torguard / pfSense Port Forward created / Test Case = Pass

Is what I’m trying to accomplish achievable? Items I’ve looked into, but haven’t been able to piece everything together.

● Use VPN to bypass CGN (similar to Plex test case).
● VPN “443” Port Share (requires option added to VPN client and allows web server traffic to flow through to localhost:443. Haven’t been able to get this to work yet.
● I know Apache can be set to “listen” on a port other than 443. But I don’t think this allows the certbot script to succeed.
● ACME package. I have successfully edited DNS text record to achieve validation.
● Reverse proxy / HAproxy pf package. Unfamiliar.

As you already want/need to use an external service to get to your Nextcloud installation you might be interested in Beame-insta-ssl which is also available as a Nextcloud app:

https://apps.nextcloud.com/apps/beame_insta_ssl

In the range 20$ you can already get the first dedicated servers and surely virtual servers in a data center with a decent connection. VPN can be a solution if you want to run it at your place, but with a decent speed you probably have to spend a few dollars per month so you could use a vserver as well. If your provider gives you ipv6, you could still use storage at home via external storage.

If it is just for the certificate, I think you can go through a DNS entry to verify that you are the owner.

Ports: If you want to use Nextcloud on your mobile and other clients from different locations, I would only use the default SSL ports because in many free Wifi connections (perhaps some mobile providers as well) do not allow connections other than standard http(s) ports.