I use ZeroTier for this too, although Tailscale would work just as well. To avoid port forwarding out of my local network (irrational fears), I have a $5 droplet running Pomerium (a SSO proxy, similar to self-hosted Cloudflare Access) and it sits on my ZeroTier network along with the boxes at my house, proxying requests (once they are authenticated) through ZeroTier to the boxes on the private network.
It works very well. Pomerium is easy-ish to configure (especially because it takes care of certs for you), and I can log into stuff on my LAN without having to boot up the ZeroTier client which takes a minute to connect on iOS (or from devices that don't have ZeroTier installed). I would've used Cloudflare Access + Argo Tunnel, but at the time they were still charging for tunneled bandwidth (like $10/GB or something outrageous), so this ended up cheaper.
It works very well. Pomerium is easy-ish to configure (especially because it takes care of certs for you), and I can log into stuff on my LAN without having to boot up the ZeroTier client which takes a minute to connect on iOS (or from devices that don't have ZeroTier installed). I would've used Cloudflare Access + Argo Tunnel, but at the time they were still charging for tunneled bandwidth (like $10/GB or something outrageous), so this ended up cheaper.