I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range.
With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?...), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.
And you can access any device from your VPN in your LAN.
I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range. With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?...), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.
And you can access any device from your VPN in your LAN.