An option is to set up WireGuard vpn as well couple it with your internal DNS for all those services, and nginx proxy manager to grab certs which you’ll need for hosting Bitwarden/vaultwarden.
443/80 get opened and pointed to nginx which has acl only allowing internal access, then whatever port you choose for WireGuard. On your phone setup the WireGuard app for on demand access once you’re not on your home wifi and job done.