Very good points all around.
So far, I have WireGuard set up, and activate it when I need access.
This year I have considered Cloudflare tunnels to enable them only to issue SSL certificates (instead of signing my own like I did last year). But not sure if it is worth it or if I should just keep signing myself.
(Cert is mainly to avoid SSL warnings on iOS and browsers, so far I am the only one using what I host)
Might also be nice to not have to configure each device to use a different dns server (my own), but not sure the benefit is worth having that dns record “out there” and Cloudflare “in here”.
The DNS-01 challenge [1] allows for issuing SSL certificates without a publicly routable IP address. It needs API support from your DNS provider to automate it, but e.g. lego [2] supports many services.
I personally leave my Wireguard VPN always on, but as its only routing the local subnet with my services, it doesn’t even appear in my battery statistics.
[1] https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
Thank you for the info and the links. That seems like a more sensible approach. Hope to try it out after the work week is done.