npub1tj54dz997wrdyqgf8sc36z3upy3ld0ujmwqyx42dtqxcwc7l68fqlx5ry2 (npub1tj5…5ry2) Wireguard is a lifesaver. Especially now that it's embedded in all modern Linux kernels and it runs on basically any OS.
I used OpenVPN for many years, it wasn't a big deal but it definitely was a bit cumbersome to install ad-hoc clients and move certificates around. With Wireguard adding a new client is almost as simple as copying an SSH keypair and specifying the address of the server. And it's even super easy to spawn a bunch of different servers, if you want isolated VPN networks.
Thanks to this configuration (HTTP nginx gateways and VPN servers run on Internet-facing Linode machines that do nothing other than proxying requests, and everything else runs in my home network where I have basically unlimited storage) I've easily managed to scale up a big infrastructure.
I think that exposing and hardening services one by one directly on your residential IP would probably take you more time on the long run, while setting up a VPN connection is something that you only have to do once.