Their setup sounds similar to mine. But no, only a single service is exposed to the internet: wireguard.
The idea is that you can have any number of servers running on your lan, etc... but in order to access them remotely you first need to VPN into your home network. This way the only thing you need to worry about security wise is wireguard. If there's a security hole / vulnerability in one of the services you're running on your network or in nginx, etc... attackers would still need to get past wireguard first before they could access your network.
But here is exactly what I've done:
- Bought a domain so that I don't have to remember my IP address.
- Setup DDNS so that the A record for my domain always points to my home ip.
- Run a wireguard server on my lan.
- Port forwarded the wireguard port to the wireguard server.
- Created client configs for all remote devices that should have access to my lan.
Now I can just turn on my phone's VPN whenever I need to access any one of the services that would normally only be accessible from home.
P.s. there's additional steps I did to ensure that the masquerade of the VPN was disabled, that all VPN clients use my pihole, and that I can still get decent internet speeds while on the VPN. But that's slightly beyond the original ask here.
Yes it would. In my case though I know all of the users that should have remote access snd I'm more concerned about unauthorized access than ease of use.
If I wanted to host a website for the general public to use though, I'd buy a VPS and host it there. Then use SSH with private key authentication for remote management. This way, again, if someone hacks that server they can't get access to my home lan.