nginx.conf

        server {
                listen 4443 ssl; # to be change dlater

                location / {
                        proxy_pass https://10.00.0.1:8443/; # put your WG tunnel address
                }

                ssl_certificate /etc/letsencrypt/live/home.mydomain.com/fullchain.pem; 
                ssl_certificate_key /etc/letsencrypt/live/home.mydomain.com/privkey.pem; 
                
                # add any more certs for other domains                
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        }

Needs to be shared between the internal server and the external server. You cannot use certbot on both, because ports 80&443 of external are redirected to the internal and certbot on external would not work.

So, on internal zip che certs after any update, edit crontab like:

47 5 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log
31 16 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log

On external, copy that file over and replace certs, again in crontab:

10 6 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart
50 16 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart

Of course, add the external root SSH public key to user file /home/use/.ssh/authorized_keys for passwordless access.