The other way around. The VPS would be the server and the one behind CGNAT would be the client. That is the solution to get around the NAT because the client will establish the connection to the server.
IPsec works as well as the link between the two hosts.
You will then connect your mobile devices to the VPS as usual and push the extra routes to allow them to go through the N2N tunnel.