I use reverse ssh tunnels, technically running on my home server. For each service i want to expose on the internet, i have a systemd-unit which handles a said reverse tunnel to the vps. Basically, the port running the service locally gets tunneled to a port on the vps, that happens via ssh, so reasonably secure (login as root disabled, login with password disabled, with a special user with little to no rights running the systemd service locally and remotely to log in via ssh). On the remote vps, there is a reverse proxy running, nginx, which works like the service would be running on the remote vps, really. There are some services actually running there, a mail server for example. The config files aren’t really different, everything nginx handles gets passed to a localhost port. A nginx instance is also running on the local home server to serve all the local services and the global ones locally, and the dns on my main router resolves the adresses of the global services to the local ones. SSL-Certificates are acquired by the remote vps and copied to the local home server, so that the end users don’t have any difference in their ux regardless if they are in the local network or somewhere outside.