Re: port-forwarding, I used traefik as a reverse proxy and that worked well (having a single domain cert instead of per service DNS is another layer but it’s just obfuscation), but it’s always a risk. I finally started using Tailscale after hearing about it for years and it is actually very good and deserves the hype. I had meant to setup wireguard myself but this is a lot easier. And if you don’t want to use tailscale server, you can run headscale (on a cheap VPS?) instead.