So you don’t want to port-forward on your home router or have Cloudflare decrypt all your traffic? Check out Towonel.
Most open source Cloudflare Tunnel alternatives involve setting up a VPS, terminating TLS there on a reverse proxy, then setting up a Wireguard tunnel to your server at home.
Towonel is different: it does not decrypt your traffic on the VPS and you can easily share one, so not every self-hoster has to buy and maintain a VPS.
Check it out!
Mastodon link: https://gts.erwanleboucher.dev/@eleboucher/statuses/01KS4YNA2SYMSP0FSKJVNJA155
Not exactly a tutorial, but I use SNI routing + TLS passthrough with Caddy-L4 (and previously Traefik), and wrote/collect some stuff about it over the years:
https://theorangeone.net/posts/wireguard-haproxy-gateway/. From TheOrangeOne, involves TCP routing with HAProxy and plain WireGuard. Most likely what you want.
https://muoi.me/~stratself/articles/tailscale-notes/#the-public-website. Me using Traefik + Tailscale to route TCP to the backend
https://jdedev.org/projects/tophomelabwork/docs/solutions/traefik/traefik/. Another Traefik example
https://muoi.me/~stratself/articles/the-cost-of-tls-passthrough/#scenario-1-passthrough-encryption. Same but for Caddy-L4 and involves SNI routing. If you want plain TCP routing just do
{ layer4 { tcp/:443 { tcp/127.0.0.1:538 } } }