Remote mysql server in docker container - access using macvlan and wireguard?

Situation: Several VPS servers around the US connected to my laptop via wireguard mesh network. For wireguard mesh network Im using tool called innernet (https://github.com/tonarino/innernet).

So basically its like my laptop and vps servers are on same internal network.

VPS ip    = 10.32.89.1
laptop ip = 10.32.90.1

Looks like VPS and laptop has this virtual interface defined (not sure if this matters):

innernet

VPS server has mysql container runig (I dont expose 3306 port to the host). How can I can connect to that dockerized mysql server from my laptop without mounting mysql port to the host?

Reasoning:
Why I want it this way?
Because I dont want to make it (mysql server) visible to entire internet and thus attackers, but at same time i want easy access to mysql data from my laptop.

Possible solution:
Is that what docker macvlan is for? Do I need to create a network on VPS that has innernet interface as a parent or something? and then attach my mysql container to that network?

I've tried this:

docker network create \
-d macvlan \
--attachable \
--subnet=172.40.110.0/24 \
--gateway=172.40.110.1 \
-o parent=innernet \
infranet2

And then I've tried joining mysql container to it:

docker network connect infranet2 mysql-server

But I only get an error:
root@vps:~$ sudo docker network connect infranet2mysql-server Error response from daemon: failed to create the macvlan port: invalid argument


What you can do is you can expose your port (3306) only on the internal ip, accessible via wireguard, such as the tunnel ip (as opposed to exposing it on all ips (0.0.0.0/0), as it happens by default). Given your tunnel ip is 192.168.0.1, this is how you would do it:

docker run --name mysql-server \
-p 192.168.0.1:3306:3306 \
-e MYSQL_ROOT_PASSWORD=my-secret-pw \
-d mysql

Then you can access your remote mysql server, but the access from the internet wouldn't be possible.