I admit that setting up the local VPN server was easy only thanks to the fully customizable firmware that operates on my router (an Asus RT-AX88U, if you want to know). I can outline the procedure I followed, but I cannot write down a step-by-step solution since it won't be applicable to all the cases.

I can give you a link of a really detailed procedure that includes installing a custom firmware if your router supports it. Briefly, it boils down to three steps:

1. Setting up the VPN server: installing the OpenVPN packages and creating the certificates and keys for both the server and the client(s)
2. Putting together an OpenVPN configuration profile for your client. Once your server is configured, it provides you with a generic profile to which you have to add the certificate and key that you created in step 1. You will also have to create at least a pair of user credentials (username/password) for your client: this can be done once again during the server configuration.
3. Installing the VPN client on your remote machine and connecting to the server with a simple openvpn --config your_profile.ovpn.

Be careful that, if you are connected via SSH to your remote machine, it's very likely that the connection drops because of the way the VPN server works. In brief, this happens because when connecting to the VPN server, you are suddenly changing the default gateway: the traffic that came in from your local machine through SSH is now going back "from a different route", and that breaks the SSH tunnel. Here is explained better, but the quick solution is to add an additional route to your remote machine before starting up the OpenVPN client with

sudo ip route add -host <public IP of VPN server> gw <default gateway of remote>

Another issue related to this is that if your ISP assigns you a dynamic IP (which is very likely: either you pay for a static IP or you are on some kind of Virtual LAN which can happen if you are connected to an optical fiber network). If that's your case, don't despair: the guide of the first link explains how to deal with it with Dynamic DNS. I know that it seems very convoluted, and the truth is that it's indeed a complicated setup and a lot of networking concepts are overlapping. Yet, the guide above is very thorough in explaining all the steps. That guide also assumes that you are doing all your configuration on Windows, so you should be more comfortable and maybe you can avoid using the WSL.

Once all is set on the VPN side, then your remote machine will have a new IP address in the subnet created by the VPN server. That's the address you should use in the "Kernel configuration" profile in Wolfram Mathematica/Desktop. On my machine, the configuration is the same I wrote here a couple of posts above.

As I said, I have to find out the proper way to start the VPN client automatically. That means that there should be a way to store the credentials securely, but at the moment I don't know how. Also bear in mind that I have just run a few simple tests and I want to work with it more extensively to be able to report any issue or other problems that may arise.

If you have questions, I will try to answer at best of my knowledge.

I had almost given up, but reading this conversation I got the idea to install and configure a local VPN server and connect the remote machine (an AWS instance in my case) to the VPN. And... it works, because front-end and remote kernel are now part of the same network. I tested also a Manipulate and a trivial NetTrain that are known to require the "dynamic features" between the kernel and the front-end.

The setup is not so complicated: the most laborious part (let's say) is to configure the VPN server and prepare the client profile for the remote machine. For the moment, I also have to start the VPN client on the AWS machine manually, but I'm sure it can be done automatically with a systemd service; I just have to look up how.

In my case I could do it directly on my router (an ASUS with the Merlin Wrt firmware) that can run an OpenVPN server. The kernel configuration is identical, except for the different remote IP address which is now part of the local subnet created by VPN.

I believe if you google it you'll find some community chats on remote kernels, such as https://community.wolfram.com/groups/-/m/t/94917

You didn't mention if SSH is installed and configured on both machines and if you can use bash(1) to execute the remote kernel math(1) through ssh(1). If you cannot do it by hand, then Mathematica also can not do it either.

Mathematica (now) has two ways to connect to a remote kernel. The 'older' way is TCP/IP port mathlink (which is not login-based and security is "up to you and your OS"). A newly supported way is by "shell log-in access (this may merely launch math(1) with parameters on the remote machine if it is not already running, btw).

"In the Kernel Program field, give the command that would be used to run the Wolfram System through a terminal window on the remote machine". You didn't post what your setup fields were, so I think for anyone to help you, you should post more information - such as the command you used.