It's actually listening on the WAN interface too as thats convenient but I could limit this to VPN. Good idea 
So 443 is available and can be forwarded.
I also understand I will have to recertify after 300 days and there are also no means of automatically deploying that certificate to the Fritzbox (according to wiki link). But- in regards to the 300 days- thats also ok, thank you!