This is all great advice. Now I do have a question. I was planning on creating a Wireguard VPN (using this script: Bypass_CGNAT/Oracle Cloud/Oracle_Installer.sh at main · mochman/Bypass_CGNAT · GitHub) from my server to a public VPS, assign a domain to the public VPS, and access my self-hosted services like Nextcloud, Jellyfin and, Invidious all behind Caddy as a reverse proxy. My question though, is how can I enhance the security even futhur? Already ssh keys, UFW, and Fail2ban do quite a lot, but what else can I do with this kind of setup?
The primary reason why I am doing this is because I have 5G internet and I am behind CGNAT. All incoming connections are blocked on the router and there is no way I can change it, so no iPv6. I also cannot use pfSense or Opensense sadly.
About Cloudflare tunnels, I don’t think they are very privacy respecting. As far as I know, all the traffic that comes to them is in clear text.