Secure access to containers

Looking to run a number of containers which have relatively insecure components (admin interfaces etc).

I’ve historically used a VPN to the server to connect to ports firewalled off from the world, but opened to localhost connections.

I have got a simple OpenVPN container installed - is my understanding of Docker containers correct - that even without the ports 'expose’d they’ll be accessible to people who have signed into the VPN?

DO I then have to fix their IP addresses, or is there a DNS-a-like system I can use?