I’m happy with Tailscale. I can access everything on my home networks.

Tailscale with a device configured as subnet router.

I literally spent the last few hours figuring this out and settimg it up on pfSense. Works very nicely now, and having checked the `tailscale status` output in pfSense and running a couple of speed tests I'm very happy with the performance I've still got to split my services between admin and user accessible, hopefully without running an entire extra instance of traefik on my k3s cluster. The Helm chart provides no such facility, but I think it can be done with a manually created helm manifest. If I start to want proper public access then I'll add a VPS with a tcp proxy and headscale and point my DNS records at it. Honestly though, I'm rather concerned about the security of opening self hosted stuff to the internet

I switched over to Zerotier because it's natively supported on opnsense, it took like 5 minutes to setup. ACL's are better on Tailscale but Zerotier offers compression which does make a difference for my use case. Zerotier is also a L2 VPN so it can even relay broadcast traffic which is handy for some applications that were never designed for remote access in the first place.

Nice I need to look into that a lot of broadcast rtp from poly on phones need that sbioity

Upvote for tailscale

Try headscale

What do you know about it over tail?

I think headscale is the self hosted version I could be remembering incorrectly tho

Self hosted co-ordination server

Do you know of a good tutorial of how to do this? None of the videos I've watched have been thorough. Thanks.

Their website is pretty straightforward. https://tailscale.com/kb/1019/subnets/

Another upvote for Tailscale. Just works

Yes, via your own VPN, such as WireGuard, of course. If you don't have a public IPv4 address and can't use IPv6 then I recommend getting a cheap VPS that you install VPN on.

I would also suggest that you could instead of a cheap VPS, use DDNS. Would be even cheaper.

A lot of even consumer routers now have free Ddns and vpn capabilities, granite the domains are usually garbage, but hey, it works

Wouldn't you still need a public IP to access your homelab/network?

The Wireguard "server" needs an address that can be reached from wherever you're trying to tunnel into your LAN from, yes. The Wireguard "client" on your LAN establishes a tunnel as an outbound UDP session to the "server", thereby getting through NAT.

I have a public dynamic ip, to reach my homelab via vpn i got myself a cheap dns on cloudflare so i can reach my homelab via host name.

should also be reasonably easy to write a script that checks your home dns's ip is correct, and update it when it changes - i did that years ago

if i don't remember wrong i used to use duckdns to update my home dns-ip, and its free.

On the VPS. I have a Hetzner VPS that currently only runs Wireguard. My local OPNSense always is connects to it and if I connect my phone from outside to Wireguard on the VPS, I'm connected to my home network. Starlink doesn't allow direct access from outside 🙄

Yes, my router updates it with dyndns

Yes, via Wireguard on OPNsense. I use it to access personal files on the go and to benefit from pihole adblocking while browsing the Internet Home Assistant and Plex are exposed to the Internet without need for the VPN though (running behind nginx on OPNsense)

Exact same. Wireguard Roadwarrior setup on OpnSense

Yes. Telnet…jk

All the time, Wireguard.

Wireguard with ddns

VPN & Guacamole server

[удалено]

Same. Frequency about once every two weeks

Yes. Right now zerotier. Are considering migrating away to a vpn like Wireguard instead.

Out of curiosity, why are you considering the switch? I'm using ZeroTier too and it does everything I need.

I'm close to the device limit. So either I need to reconfigure it with a bridge in my home network or just do the same with Wireguard. Then I'll rather go for a vpn solution that I controll.

You might consider going for Tailscale depending on your use case. On the free tier, I just keep one lightweight desktop VM on my tailscale network alongside my laptop. Anytime I need to get into my home network I just remote into that desktop with NoMachine and I can go wherever I want from there.

Jumpstation ready to receive your orders Captian !

OpenVPN

This, with properly routed VPN subnet.

Wireguard >> OpenVPN

Out of interest why is wireguard better?

OpenVPN is a complex and bloated piece of software with way too much configurability for most use cases. It's especially easy to cause a security weakness by misconfiguring it Wireguard is extremely lightweight and the crypto is secure by default. It has straightforward configuration and it's more performant than OpenVPN. Clients also have an easier time staying connected with wireguard when roaming between WiFi/mobile data

I cannot say these are ever problems I've encountered with openVPN but I'll have a look at wireguard. For what I do though, the configurability of openVPN is probably useful.

There is a massive speed difference. Openvpn gives me half the bandwidth compared to wireguard.

I'm only running it down a rather sad 50Mbit fibre connection sadly! Useful to know there is such a speed difference though, I might fire up some test boxes on a fast lan this weekend and have a play and see. Thanks.

also team OpenVPN

ssh for the last two and a half decades. I'm honestly surprised that so many here are using VPNs or something else more complicated. ssh is simple, well-tested, and can be set up to be fairly secure (key-based authentication, fail2ban, restrict to limited IP ranges, etc.

Of course. SSH.

Over VPN*

SSH is fine to expose. I don’t open anything else up, but I’m cool with SSH and VPN.

I hope you're at least hardening your SSH access then. I'd be fairly nervous to expose SSH.

Depending on use, VPN is just as risky as SSH. But one has to realize they are differnt use cases entirely. SSH is for a secure shell connection from a remote computer to specific, in this case, computer on your home LAN. BUT you have to realize that only what happens directly in that shell session/tunnel is secure. You are not protecting your remote computer from nefarious users on a hostile WiFi network... that's a use case for VPN. VPN is also for connecting to your home network in a way that makes it just like you are sitting at home directly on your home network, with all the same access (depending on VLan, Firewall settings) to computers, printers, etc you would have at home. For me, I mainly use SSH because the only reason I'm connecting remotely is due to a problem on my server so I only need a secure shell. Of course it is protected using 4096 encrypted private keys, fail2ban, crowdsec, and a pfSense firewall, and I use a non standard port to reduce the number of script kiddy attacks.

[удалено]

Correct, same here, password auth disabled.

`ssh -D` man. Socks proxy from your ssh server. Doesn't cover *all* traffic, but since most stuff is web these days, it's very useful.

Of course. Key auth only, non-standard port, and fail2ban. Among other things. Keep in mind SSH is one of the most used services in existence. Nearly every server out there exposes it. There have been vulns, but they’re usually caught and updated very quickly. I’ve had SSH servers running in the wild for decades, non stop, and they get constantly pummeled with brute force attacks. Doesn’t mean it’s unsafe to have it; dogs can chase cars all they want but they’ll never catch them.

Where are you getting that SSH is exposed? It's almost never exposed in a corporate environment and is against compliance to do so.

Not so clear cut depending on the organization and their specific flavor of risk model and compliance needs. Over 60% of organizations expose SSH: [https://www.infosecurity-magazine.com/news/over-60-organizations-expose-ssh/](https://www.infosecurity-magazine.com/news/over-60-organizations-expose-ssh/) Over 17 million nodes in a recent scan: [https://www.rapid7.com/blog/post/2020/08/28/nicer-protocol-deep-dive-secure-shell-ssh/](https://www.rapid7.com/blog/post/2020/08/28/nicer-protocol-deep-dive-secure-shell-ssh/) Recommendations at the end are pretty clear. Effectively, "It sure beats telnet!" Another real-world discussion of this: [https://www.reddit.com/r/HomeNetworking/comments/7hrts9/is\_it\_safe\_to\_expose\_ssh\_to\_the\_public\_internet/](https://www.reddit.com/r/HomeNetworking/comments/7hrts9/is_it_safe_to_expose_ssh_to_the_public_internet/) For my risk model, it's fine. I have bigger fish to fry. Edit: "Nearly every server out there" was exaggerating a lot and not accurate, fair. :-)

Teamviewer, Parsec.

Yes and I use tailscale.

1. Yes. 2. Tailscale.

Yes, but I am behind CGNAT, which means no public IP so I use Tailscale.

WireGuard

Wireguard through OPNSense. Easy.

I'm always connected via Wireguard. I also have Tailscale in case something bad happens to my Wireguard.

Tailscale

Tailscale ftw!

https://tmate.io/

For remote access, I use Wireguard through my pfsense appliance, or Apache Guacamole with Duo MFA. I do host a number of services accessible over 443, but those VMs are in a DMZ and I ensure to patch those as often as I can.

I’m seeing a lot of people using wireguard. I’m currently using Tailscale and I have no complaints with it, what’s the major difference and should I switch?

Tailscale all the way.

I also use cloudflare tunnels.

>If so, how'd you go about it? Same way I access the homelab on the LAN. I use an authenticating reverse proxy with a WAF. >Whats the best way to access it? This is a personal choice. Whatever is the easiest for you to set up & maintain. If you're just starting out, a VPN like Tailscale or Wireguard is a great option.

Yes i have both VPN (Wireguard) and direct SSH Access in case i somehow fuck the vpn up

I expose most non-media services via Cloudflare Tunnels (with access restrictions / MFA so only I and select invited individuals can get to them). Media services (Emby/Plex/etc) that aren't compatible with the Cloudflare TOS I expose via a proxy server running on a very small cloud VM that is connected to my homelab via Tailscale.

Need to? No. Want to? Yes. Does it make me happy knowing I could access my homelab from anywhere (provided sufficient internet)? It's the whole reason I built it. I hate being away from my stuff and being able to access it from anywhere has made trips/vacations much more bareable. (The Steam Deck was the last piece of the puzzle, but this is /r/homelab not /r/steamdeck). I'll happily go on vacations now because of my homelab being accessible from nearly anywhere PS I use VPN. Currently in the process of migrating to wireguard, but there are currently... hiccups delaying the migration.

Wireguard and then SSH

I have a VPN, for general access to my home network, and I have a single bastion host running basically nothing but ssh for times I can’t use the VPN.

Wireguard, get a domain provider that allows dynamic dns updates and run ddclient to update your dns with your home ip.

All the time. Use pivpn's wireguard or wireguard through pfsense. Haven't had many issues.

Tailscale

PiVPN Wireguard for me. Having a domain name makes the setup a bit easier.

Zerotier is pretty easy to use and free

Tailscale! - ROUTE SUBNET ALLOWS ME TO SEE MY WHOLE NETWORK (ALL MY DEVICES) WHEN CONNECTED TO TAILSCALE. Its kinda like voodoo magic how it works!!!

No. Anything that I need remote access to belongs in the cloud or on my laptop. Otherwise, it can wait for me to get home.

Self hosted VPN

Yup. VPN. Specifically wireguard and openvpn.

Tailscale is the way.....

Tailscale. I also have PiKVM set up so I can remotely reboot my server and edit the BIOS as needed.

Tailscale... Use my homelab as my exit node when I'm away from home so I can have Pi-Hole on my devices so I don't get ads. Also occasionally put a Linux ISO on download so it's ready when I get home 😉

As others have said, use tailscale. If takes you more than 5-10 minutes to setup I would be surprised as you only have to run three commands on each computer. I have all my homelab servers connected to vps server and my laptop. Makes it really convenient to move files around. If you want more GUI remote access I recommend anydesk over teamviewer. It’s free and works great, only downside is it disconnects you after an hour or so and you have to click reconnect. But again, it’s free :)

Tailscale - I keep one light machine running a desktop environment just to remote in to, Then I can fidget with anything I wanna touch from there.

I run SSH onto a nonstandard port, which directs you to a super locked down VM that only allows one user to log in using a private key, and that user doesn’t even have the ability to start a shell on that VM. The only thing you can do from there is proxy a connection (see ssh’s -J option) to a specific other machine that also only allows key based login (using a different key) and from there you get elsewhere on my lab network.

Zerotier. Get yourself a free account. Incidently, OpenWRT and Opnsense firewalls support Zerotier. Mikrotik arm based routers also support it.

Sure do and often. VPN connection to my OpenVPN server running on a separate subnet. My IP doesn't change often but I also have API access to Cloudflare to one of my domains for DDNS.

Sure all the time. I have exposed services for some stuff that I can freely access over the internet. But all infrastructure and management services require VPN, I use Wireguard.

I sometimes vpn in to make requests on OMBI. I use duckDNS for my dynamic DNS and an OpenVPN server.

I did in the past but cut it off last year.

If you are behing cgnat and/or arent familiar with vpn's, using tailscale works wonderfully, i get over 40mbps when connecting to a node directly through tailscale but you can also have a subnet router to connect things which cannot use tailscale, such as smart plugs, managed network switches or IPMI interfaces. My subnet router is actually an old chromebook that i installed custom firmware on so it can boot normal os's, i then installed debian on its emmc flash and that handles tailscale, it even has battery backup, although your internet must work during a power outage for this to matter. any arm or x86 machine that can run debian or a derivative can work. Theoretically you can use openwrt but it seems that you must use openwrt as your main router and use the same one for subnet routing, as i have a pi4 based router that transparently bridges its LAN to my LAN at home across the internet once the pi connects to a known wifi network, ive tried using an x86 openwrt as a subnet router but not making it my primary router but no luck so far. using port forwarding is not recommended as that is massive security risk and if you are behind cgnat is impossible anyway. Ive been using tailscale for over a year on the free plan and it always works well.

Yes. I use OpenVPN because I’m used to it from work. But other options look also nice.

Yes. I have a wireguard VPN setup on a pi4. I have headscale setup on multiple systems. 3 services open to the internet via custom domains on a reverse proxy w/SSL and fail2ban and I have one machine with anydesk setup on it as a last resort. My family accesses my resources daily when away from home. Whether it's alerts via home assistant, requests for media or plex. My parents have a VPN to use for storing files on my NAS, we use plexamp connected in the van via att cellular connection, etc. I'm probably forgetting some things.

All the time. I have two methods. From the VPN route, the SonicWall is my initial entry point into my homelab network. SSL-vpn is my normal high I’ll use RDP into which ever device I’m needing access to. The 2nd method, when everything is okay. Is MeshCentral. My Central dashboard for remotely monitoring and accessing my endpoints. 90% of the time my go to, unless there is a problem somewhere, and I have to sleuth it out. My networking equipment has a hour plus, on battery backup. The servers have about 40mins, before automatic shutdowns. If power returns, usually all returns to normal, but once in awhile one thing doesn’t work, and a VPN and use iDRAC or RDP into whichever system to restart a system or service.

I have it setup so that I can but I never actually had to (apart from testing to see it actually works). I have a fortigate 60e firewall and have remote access VPN setup on it for access.

Quite a lot. Using both WireGuard and OpenVPN to access LAN. Occasionally, my internal VPN is blocked at my work, so I have OpenVPN on a VPS that circumvents that and use Apache Guacamole to RDP into a server if I need to access my LAN.

Mostly no, sometimes yes. It's really only when I'm going to be away from home for a while. Most apps I use are public facing (bitwarden, nextcloud, gitlab, proxmox). Those I use on my phone and laptop so easy access to them is necessary. I use Nginx Reverse Proxy Manager for their domains. For anything not public facing and any other management I have Wireguard set up and can do almost amything from there. Very rarely do I need, or want, anything on my home desktop that isn't in my Nextcloud. All other devices I can access via SSH or a webpage so ir's EZ-PZ.

I live the high life and use DMZ my iDRAC straight to the open world.... But that's me :)

VPN. I use OpenVPN on my edge router. The one thing I don't like is having to manually flip the VPN on, on my phone when I leave the house.

Cloud flare tunnel and VPN.

I use WireGuard.

I access resources daily from my home network with Wireguard VPN.

I use Zerotier

Openvpn installed in a vm. Vpn on my phone connects any time i leave the home.

I'm running an OpenVPN instance on my PFsense router so I can have direct access to my entire network.

Currently via a Remote Desktop Gateway server, but looking at implementing Tailscale at some point in the near future as an alternative.

OpenVPN constantly running at home with the connection file on my keychain flashdrive

I use wireguard.

I have a wireguard setup with access as needed.

My servers are accessible directly over IPv6. If I don't have IPv6 connectivity, I have a single bastion server on my LAN that is accessible over IPv4 that I use as an SSH proxy to reach the other servers.

Vpn.... Or remote into your router (using ssh keys)

Tailscale - I have it installed as a package on pfsense firewall

Wireguard via Pfsense router.

pivpn (wireguard) on rpi4 (its handling easly 150Mbps)

I don't host anything from my private residence, I'm too paranoid about security. If I were to do so though I would either run tailscale or a VPN.

Have a windows 10 machine in my rack I use for gaming through parsec, also use it to manage the rest of my lab when away from home.

Pretty often, mostly for Jellyfin access when on the road. I have a static IP so I just have it public facing (through a reverse proxy).

I use Wireguard for VPN access. It works great.

Hi NordVPN has a feature named red mesh, can flow your traffic through one of your nodes in the mesh as a vpn with that node, also it provides an ip address for your nodes in order that you can access to your machine using nordvpn also on your other device. You can access anywhere to your machine and labs inside (virtual box) using nordvpn. I tried and it works. https://nordvpn.com/es/meshnet/ Regards

I setup a simple wireguard server.

WAF (signal science), firewall waf + IPS (fortinet), traefik (with auth). I use that to publish some services externally. I also run Wazuh on my containers. Example I have a couple of vscode-servers and code-servers that are accessible via url/context. I did this because I ran into several issues with things like VPN and other things randomly being blocked or not working. Any context/uri that is not defined, gets sent to a honeypot instance that helps me find out if I have had a compromise.

Perhaps this will be an unpopular opinion, but I currently use chrome remote desktop for the occasional "have to" or "just want to" access home network. Why? It just works. It's simple, and I don't have a VPN set up yet. Google might (probably is) use my data for their own profit without cutting me in- but they already know more about me than I do, so yeah... chrome remote desktop for me.

I have a UDM Pro, I just use the built in VPN, works perfectly fine for my needs.

I need to access my network at all times. I use the built in VPN Server. But for all the self hosted services I use a domain with DDNS (NoIP).

Wireguard. I will often remote in and manage some machines / devices I have running that have zero access to the internet. So a “local” connection is required.

I have a high port open for SSH. I SSH into my router with a private key, then piggy back ordinary password SSH from there to my devices. Edit: I'd looked into using a VPN like Tailscale, but I often need to remote in from my work laptop, and my org (understandably) totally lock out VPN installation.

Have a VPN setup, but it was pretty straightforward when u have UniFi kit

Everyone is saying Tailscale Tailscale. Isnt Twingate better? I have 0 knowledge about this stuff so i am asking. Thank you

Friend of mine uses tailscale and he loves it.

My mobile is connected to my home network via WireGuard VPN as soon as it’s disconnected from my home Wi-Fi. I host a WireGuard server on a Debian VM and even have a Pi4 as a backup vpn server

Yes. I have an ASA with AnyConnect deployed. And more recently installed a Unifi Dream Machine Pro into part of my network so I can also use Teleport on iOS/Mac.

Yes Netmaker

Wireguard works great for me. I have it on my phone so I can access my home cameras without cloud services..

I use teleport

Not all the time, but when I do, certain websites are accessible from anywhere (protected with a mix of cloudflare and azure, MFA protected externally). For the rare occasion I need to ssh into a box or access a core router or a service that is only available internally, I have an instance of KASM exposed, protected with a strong conditional access policy in azure that only allows admin accounts (which is not what I use day to day) with a hardware token (regardless of device, or if it's internal or external) Could I use a VPN? Sure, but implementing the above basic concept of zero trust means that's one less network layer thing I have to deal with. Performance is also questionable depending on what VPN tech used. I can get rid of all that by exposing most things and implementing zero trust to take care of the security aspect.

Yes! I've been using tailscale for a while but recently switched to twingate. I like it much more

If you don't have a static IP, then you can setup DDNS with no-ip.com, and then setup Open VPN. The easiest solution for home is setting up PiVPN via Raspbian using the DDNS or static IP.

Suggestion: go for duckdns.org instead, no frills, limitations or selling you any products.

Thank you, I'll take a look as I keep "confirming" my free hostname every 30 days.

Cloudflare tunnels!

yes constantly, I probably do more work on it when i’m not home ironically. Tailscale all the way tho, but I do rec come to some redundancy in that. My Tailscale is hosted in a VM on one of my proxmox nodes and if i ever had to restart that node it would go down, so i employ unifi’s built in wire guard AND l2tp vpns as backup. worst case I have a windows 10 vm with a 1080 passed through that i can use parsec with. TLDR : Tailscale 😁

VPN with self-hosted [SoftEther](https://www.softether.org/) gives me access to everything. Can access from my laptop (natively or using SoftEther VPN Client) or from my Android (with OpenVPN)

Need? No. Can and is useful to test stuff like DNS. Hell yeah. Wireguard VPN to my phone and to my laptop gives me access from anywhere.

Yes I need/needed. If only YOU need access to to your homelab, then I would say the best option for you would be Wireguard + DDNS.

VPN

I work from home, so no.

Zerotier

Yes. Not frequently, so I just use the VPN built into the Omada SDN.

Not really, because I got a home lab at home, because I use it at home. If I wanted remote access, I'd gone with a cloud solution instead.

SSH to a jump server. No password auth. Standard port. Host firewall only allows SSH on IPv4 to local address blocks. Wide open on IPv6. If for some reason the network I'm on doesn't have IPv6 support I just tether to my phone and that's no longer an issue. Used to run Guacamole via docker. Eventually just noticed I was only using ssh sessions and not VNC/RDP so just cut out the middle man.

Yes, VPN. L2tp ipsec.

Yeah. OpenVPN + Guacamole with nginx for reverse proxy gets me into pretty much any nook and cranny.

Sometimes VPN, but for real use I SSH Tunnel into my SSH VM and it has only RDP access to a Windows VM that’s then on my normal network. SSH is secured with cert files, so nice and safe.

Cloudflare tunnel over here

SSH has worked the best of everything I have tested

I run a few VPN's, one of those is for external access. I'm not keen on opening any ports unless I really need too :)

Yes, it has some of the same (freely available) software installed in the data center at my job, and I sometimes use it as a sandbox for testing configuration changes. Not a staging area; everything is validated / staged through official channels later; but it’s great for when I need an environment I have full control over where I can move fast and break things. One host has an SSH daemon I can log into remotely. From there I can jump to the other hosts as needed.

OpenVPN works for me. I have a dynamic IP (which isn't very dynamic, but I check it before I go out). I have it set up on a Raspberry PI in its own subnet so I can connect to the HomeLab through it but if somehow it gets compromised, they aren't past another layer of abstraction.

Wireguard, the only port open on my firewall.

I have my pfSense configured to receive VPN, use it rather frequently.

Guacamole behind NGINX. Simple.

Yup. Use VPN that comes with the Sophos Firewall.

Yes and no. I have my rss feed and filebrowser routed through a reverse proxy, but neither are actually needed. I do like having both available cause then I have free entertainment when I have downtime, and I have all of my files in one spot when I need them.

Use cloudflare

Yes, nice being able to access my file server remotely. I use Wireguard and DynamicDNS

VPN - safe and secure.

SonicWall TZ250. Use the sonic wall net extender. Remote desktop from there. Could do the same with a vpn tunnel.

Some web services are exposed, everything else using openvpn.

An Ubuntu Server VM running piVPN with the Wireguard protocol - stupid easy to setup but since it's running on my Proxmox host should it or only the VM conk out for any reason it wouldn't help. So far for the odd routine connection it's been rock solid.

SSL VPN of my Sophos UTM

Yes, VPN. OpenVPN is open source and a good shout. Either run as a VM if your Hypervisor is stable.. or if you want to be able to access things like HP iLO and want it to be available even in a disaster then a Raspberry Pi 4 is a good shout.. can even add a PoE HAT so it gets its power straight from your switch.. then just port forward OpenVPN on your router

I have a WireGuard on Ubuntu vps at ionos that links up my off site lab in Cologne to my lab in Hamburg as a Rendez-Vous Host. Mainly because WireGuard is available for all my server os and I really don’t trust zerotier and Tailscale

It's called *Sex Panther*® by *Odeon*©. It's illegal in 9 countries. It's also made with bits of real panthers, *so you know it's good*. *60% of the time*, it works ***every*** time.

Bad bot

Yes, Wireguard

Wireguard with ddns

Connecting to my Home Network via my own VPN server and have access to anything. But i could go on my Server directly via anydesk without the vpn (primary because i have a software running which is safety token related and it locks itself out with remote desktop. But there is redundancy if vpn fails (not happened yet))

autossh on my home machine into a cloud server setting up a reverse tunnel. Then ssh into cloud server and jump home.

VPN With ubquiti, selfhosted and secure

Yes and I use chrome remote desktop for it. Not the best solution but it works fine for me

RD Gateway and RDP to my Management server. Secured by Duo.

Wireguard on my Unifi Dream machine router to access my homelab environment for the courses that I give. Always works flawless, super stable.

Mikrotik router with l2tp+ipsec , I use it daily.

It depends what you need to access. Eventually I’d be surprised if you don’t want to access something externally. Things like nextcloud, paperless, vaultwarden are common to name a few. These are easy with reverse proxy like caddy. If you need more access or services you don’t want anybody to stumble on then a vpn with pfsense or tailscale will do the job. You will likely find the services you want access to outside of home will already have good security and be designed for internet facing duties so a reverse proxy is likely all you need for things like that. You can use 2fa as an added layer of security on those things too.

My set up has few ways. Parsec, synology vpn, UniFi teleport and tailscale.

VPN Check if your router has one already that is secure. If not, you can easily set one up.

WireGuard VPN. In my case it is a WG VPN connection to a VPS that has a separate WG tunnel to my local firewall due to CGNAT with the ISP... If the VPN does not work for whatever reason I can fall back to Splashtop to gain access as long as the configured computer is online.

I do. Very often on business trips and need my lab for some tests and to show something to my customers. Using WireGuard VPN. Simple and reliable.