Today to safely and securely connect your devices across the web you want to use a VPN, virtual private network. Think of it as a convoy of unmarked delivery trucks or blacked out SUVs you can see the traffic, but have no idea of the contents or destination. You are reading this through my ‘front porch/door’ via a Cloudflare Tunnel. You can get these for free with a domain name, that, you have to pay for, but not much (see namecheap, goDaddy or network solutions). With a domain name and having a free Cloudfare account, point your domain name to Cloudflare and use their DNS servers and you are good to go.
To expose any services through this tunnel, from website to photo gallery and beyond, the ip address and port of the machine the service is on needs to be known. This information is easy to obtain, the decision is where to put it, essentially this comes down to, which end of the magic tunnel to you store the secret beans (ip & port). You are probably safe entrusting it on the Cloudflare end, I did for a year with no issues. To store it on the local end you need a proxy manager to route the incoming traffic to the correct location. This means another container, this time nginx to do proxy management, i.e.. bouncer at the door. Under the advisement of Gemini 3, I took this route as an added layer of security.
This setup allows me to safely and securely expose the services I choose, for access across the web, to anyone in case of this website, or other services to a select few if they know the correct url and have the correct credentials for that endpoint.
This is the front door, the Pi shops web division.
Tailscale is another VPN, it’s built on Wireguard. It allows for the creation of private tailnets where any device can talk to any other device from anywhere, as long as they are on the same tailnet, or their tailnet has been granted access to the tailnet they are accessing. What that means is, I can fire up my tablet/phone/laptop from my hotel room connect to the wifi, turn on tailscale app click the link for my Jellyfin server and watch my movies. Or, using the tailnet exit node, I appear to the internet to be at home. And, since my network has Pi-hole running to kill ads, I don’t get the ads when on the exit node, always a win in my book.
With Tailscale creating a private point to point encrypted tunnel it makes it easy to do system maintenance and admin if needed while on the road.