I have a small homelab that is not open to the internet. I am considering the following setup. Please let me know if there are any glaring issues or if I am over complicating things.
- 
I want to setup a reverse proxy in the cloud that will also act as a certificate authority. (I want to limit who can access the server to a small group of people.) 
- 
I will setup a vpn from a raspberry pi in my home to the reverse proxy in the cloud. 
- 
The traffic will pass from the raspberry pi vpn to my homelab. 
I am not sure if I need the raspberry pi. I like the cloud as the reverse proxy as I do not have a static IP. I would just get a cheap vps from hetzner or something like that.


Yup, cloudflare should work.
I personally set up a VPS w/ a WireGuard tunnel, with a reverse proxy at the VPS that sends traffic to connected WireGuard clients. My exact setup is something like this:
This could easily be adjusted to only have HAProxy work over the WireGuard interface so there are no public addresses to worry about.
But I used Tailscale for a while to solve this problem, and cloudflare tunnels would work as well. Lots of options to work around stupid ISP policies…