Umbrel has a Tailscale app. Install it and "create an account" by linking a GitHub/Google account. You can make a burner account just for authentication with Tailscale.

After this, you have created a VPN with only your umbrel on the network.

You can install Tailscale on a cheap VPS running linux.

You should now have a VPN with two devices (umbrel and server). You can create a subdomain pay.example.com and point it to the server's public IP. Then on the server, create a reverse proxy (using caddy, nginx, apache, etc) that forwards the subdomain traffic to the Umbrel's Tailscale IP. You'll need to proxy through all the ports LND needs. Might also need to modify lnd.conf with the server's IP so LND can announce itself using the public server address. Could also proxy ports for different apps on your umbrel. If you wanted to serve mempool app publicly for example.

With this setup, your node will broadcast only the IP of the server (not your actual node's IP). Tailscale's coordination servers technically know the IP of your node, but all traffic flowing through Tailscale servers is encrypted so they have no way to know that your devices are doing anything related to Bitcoin. You can bypass Tailscale servers by self-hosting a Headscale coordination server, or by setting up wiregaurd tunnels manually.