For your exact use case (hiding as HTTPS, Docker, works behind restrictive firewalls), I would strongly recommend looking at:

1. WireGuard + wstunnel — WireGuard itself is great but easily blocked. Wrapping it in wstunnel makes it look like regular WebSocket/HTTPS traffic. Docker-compose setup is straightforward.

2. Cloak + OpenVPN/Shadowsocks — Cloak is specifically designed to make VPN traffic look like normal HTTPS to a CDN. Very effective against DPI.

3. Headscale (self-hosted Tailscale control server) — not inherently resistant to blocking, but combined with a DERP relay behind Caddy, it works well on most networks. The Tailscale Android app is excellent on battery life.

For the Caddy coexistence requirement specifically, wstunnel is probably your best bet since it literally runs as a WebSocket endpoint that Caddy can reverse proxy alongside your regular sites.

I have been running a similar setup (WireGuard over wstunnel behind Caddy) on a small VPS and it has worked through hotel and airport WiFi without issues.