The Pi creates an SSH tunnel/VPN with a server on the internet. I then connect to that server to to connect to the Pi. Are there people who offer such a service?
There are hundreds of companies that offer cheap virtual-server hosting; you can get a VPS for a few $/month and use it as a central point for SSH or as a personal VPN server.
(For just SSH and typical VPN software, even the cheapest "OpenVZ container" VPS-if-you-squint will do, though I'd rather avoid OpenVZ in general – KVM/Xen plans are more expensive but also more flexible, as you get a whole VM all to yourself.)
After you've set up a VPN on such a server (such as OpenVPN or WireGuard, or even an SSH tunnel) and have both the Pi and the phone connected to it, they're functionally on the same (virtual) network and can access each other through the tunnels – there's nothing special to do to make that work.
One common option is "mesh VPN", which focuses entirely on device access – instead of a central server that relays all data, a mesh VPN has a central controller that just helps devices somehow contact each other directly (acting as a meeting point, similar to how games or VoIP apps used to establish direct connections with help of a server). In this case you'd probably be looking for one that provides free access to a "cloud" controller (such as Tailscale or ZeroTier or probably others).
While commercial VPN providers generally focus on exit to Internet, I believe some of them also offer a feature that allows connecting to your own devices as long as they're all connected to the same account (at least one VPN provider directly calls it "meshnet" mode).
I configure a specific device to become the Pi's "controller" device; I set up a NoIP name to my computer or my phone, and then make the Pi try really hard to establish a VPN connection with that phone/computer. I am not sure this is actually really feasible... is it?
For typical client-server VPNs this is not really feasible, as your phone/computer is just as likely to be behind NAT as the Pi.
Having a domain name (the "NoIP name" is really nothing more than an auto-updated DNS entry) only tells you where the device is but doesn't make it any more reachable – after all, if it did, you could just as well point that name directly to the Pi in question.
So for this option to reliably work, you really want the "controller" to be a proper publicly-accessible server on some datacenter.
There are a few more options, too.
There exist a few services that specifically provide tunneled access to your internal HTTP services. (The concept is still the same as you described – the Pi creates a tunnel to the central server, and the tunnel piggy-backs requests back to the Pi, but instead of relaying IP it only relays HTTP.) One example is Ngrok, and I think the aforementioned Tailscale also added such a feature?
My own home server runs Syncthing, and I have a cronjob that monitors for new files named ~/Sync/$HOSTNAME-*.sh and just runs them as soon as they appear, saving the output in ~/Sync/$HOSTNAME-*.log, resulting in a somewhat UUCP-style "batch job submission" system that still works even if my internal VPN no longer does. (I also have the same on my other computers, because it turned to be useful.)
