However, I’d prefere not to open ports at home
But why? Opening one incoming port is not an issue if you only allow connections from the VPS in the firewall on that port. Keeping a 24/7 tunnel up is certainly possible, but it adds another layer of complexity/reliability.
2a01:4ff:1f0:c2f8::/64
is the whole subnet, your server will have one (or more) addresses in that subnet. This could be2a01:4ff:1f0:c2f8::1
, but could also be a randomly generated suffix.