I’m using Gluetun via Docker Compose as well right now and can happily say all the ports exposed via the ports: setting are local network only. I could port forward them via the router probably (haven’t tried) but I only use them for access via LAN. To expose ports over the VPN connection you use the FIREWALL_VPN_INPUT_PORTS environment variable. A stripped version of my current compose (example port numbers, not real) with LAN access to 6000 and WAN access to 1234 and 5678:

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    restart: unless-stopped
    container_name: gluetun
    cap_add:
      - NET_ADMIN # in the default compose file i dunno what this does tbh
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_VERSION=<redacted>
      - OPENVPN_USER=<redacted>
      - OPENVPN_PASSWORD=<redacted>
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.ovpn
      - FIREWALL_VPN_INPUT_PORTS=1234,5678 # allows ports through VPN connection
      - FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/24 # I found that I needed this for certain LAN access
    ports:
      - 6000:6000 # port i access via LAN
    volumes:
      - /mnt/example/config.ovpn:/gluetun/custom.ovpn