I have many services that doesn’t “need” to be public, as public facing for one specific reason. TLS.

A lot of the times android apps won’t connect to http directions, not even local ones, and require a proper https connection with a well known CA.

For that I put the services behind a caddy reverse proxy to get a valid tls certificate.

And them I do the trick, and basically on caddy reject all connection that’s not local. Thus, making the supposedly “public” site a practical “local” one.

Once there I just connect through wireguard.