With certbot there’s probably a plugin to do it automatically, but if you just want to get something working right now you can run the following to manually run a dns challenge against your chosen domain names and get a cert for any specified. This will expire in ~3 months and you’ll need to do it again, so I’d recommend throwing it in a cron job and finding the applicable certbot-dns-dnsprovider plugin that will make it run without your input. Once you have it working you can extract the certs from /etc/letsencrypt/live on most systems. Just be aware that the files there are going to be symlinks so you’ll want to copy them before tarballing them to move other machines.

certbot --preferred-challenges dns --manual certonly -d *.mydomain.tld -d mydomain.tld -d *.local.mydomain.tld

Technically you can nat punch with wire guard

It made them nervous for the same reason emulator devs don’t touch leaks with a ten foot pole, giving the megacorp any reason to argue your clean house reimplantation is anything but clean is just asking for trouble.

Wireguard tunnels encrypt traffic, and you can add a pre shared key for additional security, no?

A wire guard peer would probably be better