Why not WireGuard? WireGuard + SNAT (port forwarding on the VPS) + DNAT (route the packets back) does the same thing, and it's faster than using SSH to do HTTP reverse proxy.
You can also have public IPv6 address on all your LAN computers, and just open the firewall when needed. :D Even simpler.
Or even assign random unique public IPv6 address to your computer per individual customer, and listen on that address. That way, other customers will not accidentally hit the endpoints you don't want them to when demoing an app.
The same can be done for any other exposure of services on your LAN.
First, setup a pair of tunnels. There are multiple tutorials doing this. You could check Arch Linux Wiki of how to. On my setup, I assigned a pair of /31 addresses to each side just for the internal communication.
Then, if you want to use IPv4 NAT, set up SNAT and DNAT. I'm taking Linux's iptables for an example:
on the VPS:
iptables -t nat -A PREROUTING -d <VPS Public IP>/32 -p tcp --dport port -j DNAT --to-destination <IP of another side of the WireGuard tunnel>
iptables -t nat -A POSTROUTING -o <VPS Internet facing NIC> -j MASQUERADE
The first statement sets SNAT on IPv4 TCP (UDP is also possible) on a specified port. All packets going into this machine (dst = VPS public IP) will go into the other side of your WireGuard tunnel. -d <VPS Public IP>/32 makes sure that the packets forwarding to the VPN side won't get NATed.
If you need multiple ports or protocols, just duplicate this line.
The second statement sets DNAT on the VPS. It makes the packets from your VPN side goes to the outside (sorry I'm not an expert in networking principals so that's my understanding).
On your local side, you just set up the tunnel and set your machine's default gateway to your VPS's tunnel IP address. Make sure you add a static route to your VPS's public address (WireGuard Endpoint) if you are connecting WireGuard using an IPv4 endpoint or it will get routed to your tunnel and you will disconnect.
I also sometimes setup IPv6 tunnels without NAT. On the VPS I just setup a WireGuard interface with /64 and assign each peer a /128. No NAT is needed for this case.