Regarding Lets Encrypt you don’t your server doesn’t need to be accessible from the internet if you use the DNS-01 challenge. Caddy with the caddy-dns plugin for your provider can do that automatically for you.

Either use the sftp command, it also supports the -J option, or use SSH tunneling. For example here I bind the homelab port 4533 to my local port 8080.

$ ssh -L 8080:vpn-homelab-ip:4533 user@vps-ip
(user@vps) $

I can now open a new shell and run:

$ curl http://localhost:8080/
<a href="/app/">Found</a>.

You could also do it this way:

$ ssh -L 8080:localhost:4533 user@vpn-homelab-ip -J user@vps-ip
(user@homelab) $

According to the Pangolin docs it supports raw TCP and UDP connections.

For SSH you can also try to use the VPS as a jump host like this:

$ ssh user@vpn-homelab-ip -J user@vps-ip