Port forward/poke holes in firewall + dynamic DNS.

Tailscale, Netbird, or Pangolin. Foss overlay networks have completely eliminated traditional VPN setups for my self-hosting needs.

pangolin is cool

I use wireguard. One network is behind cgnat so i just get that client to connect outbound to the other client to initiate the tunnel (instead of trying to connect to IT) and it works just fine.

I did try tailscale once upon a time but it was so clunky and confusing for me…i just wanted to simply access my entire networks remotely without any overhead

Another vote for Tailscale. I can be on my home network while away from home. I have no idea how it actually works, it seems like magic to me and I love it.

I use a wireguard tunnel that connects to a cheap VPS and then configured a caddy reverse proxy on that VPS that makes my services available on the internet.

Tailscale should work. It uses Wireguard and does some UDP fuckery to get around the firewall and NAT (including CGNAT). I can stream Jellyfin through it at 1080p native with no significant buffering, it’ll work for music.

If it’s just for you, checkout Tailscale.

recommendations I’ve seen are Cloudflare

I know a lot here are not too comfortable with Cloudflare. However, the Cloudflare Tunnels/Zero Trust is a solid option.

As far as Cloudflare goes, setting up a tunnel requires you to have a domain set up with them

I purchased a domain from NamesCheap for less that $5 USD. Cloudflare doesn’t require you to purchase a domain from them, however they do require that you use their nameservers for obvious reasons.

Baring all of that, Tailscale is solid as well.

probably something with my ISP that I can’t really easily work around

I’d try and find out if you’re behind a CG-NAT first, and whether you have IPv6 support. Some ISPs will turn off CG-NAT if you ask if that is the reason you haven’t been able to get things working. Wireguard will then work properly which is a bit kinder on battery life with mobile devices in particular compared to Tailscale and Netbird (although both are improving in that regard).

I use https://github.com/slackhq/nebula. Maybe a little more work than tailscale, but I’m happy with it.

You could use PiVPN (you don’t need to install it specifically on a Raspberry Pi – this is just a handy all-in-one software solution). It supports both OpenVPN and Wireguard standards. Forward the relevant port in your router configuration, set up a single user for yourself in the VPN settings, and then connect via whichever client you prefer (OpenVPN if you use OVPN, or Wireguard if you use Wireguard).

I’ve used it before to access locally-hosted services from outside my home network and it gets the job done with fairly minimal setup.

I got put behind CGNAT. I had unused domain name, so I pointed it to free Oracle VPS, installed WG Quick on that and on my home server and voila - complete access for anything I want.

I have been thinking of this myself. I think what ill do eventually is dmz a headscale coordinator instance on an old raspi and then make that internet facing for my tailscale instances. But before running my own coordinator want to do is go over some NIST guidelines first to harden the raspi. I think starting with what you want to achive and build a threat model helps narrow options of implementation and cuts the noise.

I have limited budget but have mostly older gen Unifi gear and they have a built in feature they brand as Teleport that if I understand right uses Wireguard under the hood. Works great for my limited use cases.