Port 80:443 would need to be open all the time. Otherwise, your revers proxy is not working. As well you are not able to refresh certificates once needed. It’s key to forward them from router to DietPi
Yes, you set incorrect proxy_pass https://mydomain.ddnsprovider.com:8001; inside the Nginx configuration file. It would need to be the local IP address of your system, instead of the DDNS name. If both, Nginx and Vaultwarden, running on same system., it could be localhost IP http://127.0.0.1:8001 as well. You need to adjust this 3 times inside config file.
Always use the DDNS address and not the local IP, because your need to pass the proxy to get the valid certificate. Using IP address will not work on HTTPS ans this is what is needed for Vaultwarden to work. Using HTTP will result in issues, as Vaultwarden might reject the access 