I have a wireguard tunnel set up between my home server and the VPS, with persistent keepalive. The public domain name points to the VPS, then I have it set up (simply using iptables) so that any traffic there in port 80 and 443 is sent back to my honeserver and there it’s handled by caddy, and sent to the actual service.

The only ports I need to open are 80 and 443 on my VPS to make this setup work. So, no open ports on my local machine. This does however require you to pay for VPS. Since you aren’t doing much on it though, you can get away with a cheap one. I have a $12/year VPS from Rack nerd that I use for this job.

For completely free options, you can do one of three things. (That I can think of. There are probably more ways.)

1. Either open up some ports on your machine. You’ll need to make sure that you aren’t behind a CGNat for this. I simply don’t like opening ports to the internet, though.
2. You can use a VPN. Tailscale works great for this. I use it personally for sshing remotely into my machines.
3. You can use cloudflare-tunnels. Potentially bad privacy-wise since they can technically access the data. So don’t use it for sensitive stuff. Also, their policy doesn’t allow traffic that’s not mostly HTML. So something like a Jellyfin server would violate this. But you do get to use their firewall which is great for protection against DDOS attacks.

P.S. If you need help setting any of these up, lmk.