Use a sing-box container would be more easiler for it contains a built-in tunnel of inbound.
I have built up a sing-box single container setup for one of my customer successfully.
sing-box configuration snippet
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"interface_name": "tun0",
"inet4_address": [
"172.16.255.1/24"
],
"inet4_route_exclude_address": [
"192.168.0.0/16",
"172.16.0.0/12"
],
"mtu": 1500,
"auto_route": true,
"strict_route": true,
"stack": "system",
"sniff": false
}
],