Problem
Inbound connections from the internet cannot reach the homelab directly.
No port forwarding · No public IPv4
CGNAT means your home network has no public IPv4 you can port-forward to. The solution is to initiate outbound connectivity (tunnel) and let the VPS be the public entry point.
Constraint
Only outbound connections are reliable from the homelab side.
Tunnel keepalive
Design Choice
Expose services via VPS + TLS, then forward through the tunnel.
Least exposure · Central control