Oh interesting, so you only drop a public key onto the VPS, and you forward TLS to the VM at home instead of terminating on the VPS. That's a neat idea.
So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.
If my VPS is broken, I don't lose any secrets, and it does not permit any additional access into my LAN or VPN.
For plain HTTP, of course all traffic would be easily intercepted and readable.
For HTTPS, I guess an attacker might compromise the software and IP tables configuration on the VPS and run a MITM attack to decrypt it.
So yes, I am putting a bit of trust on the VPS, for my specific use-case, the most sensitive information they'd be able to access if they went through the trouble of decrypting HTTPS, was getting access to my music-player :)
I am thinking though, that at that point.. well, even if I hosted at home on my own ISP directly, I still need to put that same amount of trust on my ISP, since they could MITM me as well I think.
So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.