I tested "remotely" while on my network, using a laptop using my phone's hot-spot, and it seemed to work.

I was able to configure a VPN server on my LAN/WiFi router, poke a hole through my egress router to the VPN ports, and connect on the laptop which was not on my network's WiFi or Ethernet. While I was connected that way, I could see in the router's admin panel that my laptop was connected from a remote IP. I could also SSH to my servers and hit my admin web apps and a few internal sites. Then I set my egress and LAN to block all the ports I didn't want the world to access, leaving essentially HTTP/S and e-mail ports "open." And "open" there still has limits, as only my CDN can hit the HTTP/S servers through my egress router firewall to the web servers, and the e-mail server has aggressive firewall rules blocking countries I don't want connecting to it. No longer is SSH open to the world, and neither router allows connection to either their web or SSH ports from other networks than mine.

Today I'm remote. I brought my laptop to do a little more stuff than I can do on my iPad. It connects to the VPN just fine, but has some trouble reaching some websites in the world through the VPN. I hit https://ip6.me and I can see that I have only an IPv4 address, and it's my VPN router's port. This is separately concerning as the router does have an IPv6 address, but maybe the VPN isn't assigning one; a quick peek at the interface in bash shows it does not give me an address--something to fix, I guess. I can hit one of my web servers by IP address, but not the other. And on the one that works, (some) sites respond using names via curl with a --resolve parameter. I'm not sure why some work and others don't.

So it kind of works.

But I can't SSH to the same servers. I can't hit nonstandard ports, like 9443, where an HTTPS server awaits. And not all of the web servers respond through the reverse proxy, despite others working, and knowing it works when not on the VPN.

There must be something on the servers that isn't trusting the VPN IPs. As with many NAT LANs, mine is a 192.168.x/24. The VPN is a 10.x.y.z/24. A peek on the internet shows that a static route might need to be added to my VPN router to transit the traffic to the LAN. That I can hit one web server and not the other is probably a firewall rule. That I can't hit my egress router from the VPN is weird, as that should be allowed as it should be the case the connection is coming from its local subnet.

I'll do other work for now, and leave the servers alone until I get back to the LAN. I just thought to make a note to remember.