Kept private, from who? The rest of the WiFi network?

In that case yes it'd need a VPN of some sort like those you mentioned that will encapsulate traffic beyond the router. Wireguard to a VPN provider is probably most common vs the others, but for low-bandwidth stuff straight ssh -R to a lite VPS running a reverse proxy like Caddy/Nginx works too.

Proxmox is dank because it uses LXC instead of Docker and has an interface for the firewall so you can lock it down just to the VPN

Given the dormitory situation, full disk encryption is probably wise in case the laptop grows legs- just be sure to configure shutdown if it loses power.