Seeing as you say port 25565 you're using Minecraft Java, so i'd prob just do this:
Couple of points:
Make your account PAYG to lessen likelihood of server being shutdown (will still be free)
Take nightly backups just in case.
You could stump up for a management console like AMP if you want to make things a bit easier.
GL.
Outside of fixing your SSH issues, you should also change from using 11.0.0.1 for WG as that's a public IP. See RFC1918.
What makes you think this is the case?
A DNS leak test showing Cloudflare could just be that is the upstream resolver in your AGH config, for example.
Provide your phone model and Android version, I've never heard of the DNS being unchangeable. Bonus punts if you can post a screenshot of your phones 'private dns' settings.
'Gaming routers' is pretty much just a branding thing.
Ultimately best performance will be a decent 'prosumer' router that can traffic shape (e.g. implement CAKE) in order to keep ping times down even when the link is under load and then good switching and wifi for the internal side of things (modern wifi standards, gigabit(+) ports).
opnsense would be fine for the former (as would OpenWRT on a pi4, say), and then you need to plug in some decent access points like tp-link eapxxx range or unifi, ruijie etc. That combo should outperform one of those gaming routers that look like an upside down robot spider thing. Well, it won't be worse and it'll be more fliexible at the very least.
Also remember that your dad's gaming device should be hardwired for best performance no matter what you end up going with.
Really this is more a /r/homenetworking thing, they'll have plenty of advice for you to, inc. hardware recs.
Not sure about Roku, that might be asking too much, but Retroarch is the daddy of emulation frontends and I've seen people run that on Android boxes with ROMs just read from a NAS via SMB. It's available on most platforms you can think of.
There's also dedicated gaming OSes (which will run on many generic S905ish AndroidTV boxes as well as PCs etc) which serve as prettier wrappers to that and other emus, my personal preference being Batocera if you whole-heartedly wanting those client systems to become 'retro gaming systems'.
KODI + IAGL would also be a workable soln on all platforms which have KODI, that can run the games directly from archive.org so negates need for the SMB share.
There's also lots of retrogaming-adjunct subs where this will be answered better than by us nerds here too.
I'd have the clients connect to the central server in a hub-and-spoke VPN topology using something like WireGuard say.
Use the central host as either a jumphost or configure your personal devices to also connect to it via VPN and have it handle routing so you can connect directly to the clients once you're connected to the central server.
Thid is a somewhat standard topology so no need to reinvent the wheel.
Not sure why no one has pointed you to the actual product Cloudflare have for API security - Cloudflare API Gateway (and API Shield).
You can kinda-sorta-not-really fudge control with a combination of Access Policy (or exclusion rules for that) and Firewall Rules, or even tack on Access control via JWT etc if you want though.
Withuot any of those just consider it having been made 'public' to the internet at large and secure accordingly.
Please follow the /u/jerwong advice.
I know, I know 'BuT It's NOt seLFhOStEd!' but I just let the pros deal with bots and front that kind of stuff with Cloudflare.
If you've privacy concerns you can always have that one thing on a specific subdomain and only enable Cloudflare on that, whilst keeping the rest of your subdomains unproxied.
Alternatively can't you add a capture (again, giving up a bit of privacy).
No worries, HMU if you need anything else but the docs are stellar and once you get your head around the concept and have a play I'm sure you'll find it just set and forget. GL.
Am I to make an A record with my domain and point it to my public IP? Then enable Cloudflare proxy service. Then a CNAME record would be the subdomain to whatever service I want and then setup properly in nginx proxy?
That would work just fine. As long as you have the records in Cloudflare DNS and the domain is all set to proxy something in NPM you're good to go. And yes, using a CNAME from the subdomain to your A record is the most elegant way so you only have to update that one IP address as your IP changes.
If I don’t have a static IP from my ISP is there a way to automatically update my dynamic IP in Cloudflare so I don’t loose access?
It's a simple API call, or there's lots of 'my-first-script' style project for this on github.
To throw something out from leftfield though... if you're going to be using Cloudflare to proxy all your (sub)domains, then if you have a dynamic IP you will be better off using a Cloudflare Tunnel (cloudflared) to get online. Doing so solves both the issue of creating your own CNAMEs and updating your dynamic IP record - you simply don't ever do either as Cloudflare will take care of all the record creation and routing of traffic for you. GL.
AGH with upstream lookups over DoH, and adblock list from oisd.nl.
Split-brain topology to give internal IP in preference to public IPs for my selfhosted services, and selective routing of a defined set of domains to a geo-unblocking service so I can access things like BBC iplayer etc. from my home network.