/r/Zerotier or /r/Tailscale
with the caveat that this entails installing a application on the client device that accesses the server & whitelist it - so workable if you’re accessing your server using your own phone/laptop, not so much on a random company PC or your friends.
If you want ‘random’ externals accessing your server, you’ll have to VPN out to a third party server that forwards ports, or host the entire thing in the cloud.
But why? Opening one incoming port is not an issue if you only allow connections from the VPS in the firewall on that port. Keeping a 24/7 tunnel up is certainly possible, but it adds another layer of complexity/reliability.