Something like Wireguard, Tailscale (uses Wireguard but provides easier administration), Reverse Proxy, VPN, are the best approaches.
Since OP doesn’t need for anyone else to access, I’d use Tailscale (Wireguard if you want a little more effort). Tailscale has a full self-host option with Headscale, though I have no problem with letting them provide discovery.
With Tailscale, you don’t even need the client on devices to access your Tailscale network, by enabling the Funnel feature. This does something similar to Reverse Proxy, by having a Web-exposed service hosted by Tailscale which then routes traffic (encrypted) to your Tailscale network.
Since their modem is handing out DHCP addresses, is there any reason why you couldn’t just connect that cable to your router’s internet port, and configure it for DHCP on that interface? Then the provider would always see their modem, and you’d still have functional routing that you control.
Since consumer routers have a dedicated interface for this, you don’t have to make routing tables to tell it which way to the internet, it already knows it’s all out that interface.
Just make sure your router uses a different private address range for your network than the one handed out by the modem.
So your router should get a DHCP and DNS settings from the modem, and will know it’s the first hop to the internet.
I do this to create test networks at home (my cable modem has multiple ethernet ports), using cheap consumer wifi routers. By using the internet port to connect, I can do some minimal isolation just by using different address ranges, not configuring DNS on those boxes, and disabling DNS on my router.
Have you looked at using the Funnel feature in Tailscale, instead of port mapping? This gets external traffic onto your Tailscale network (for anyone who doesn’t have Tailscale) for specific resources, courtesy of Tailscale servers.
If you’re just going to open ports to the world, Tailscale isn’t really necessary (it’s useful for you and anyone on TS, since you can use the Serve feature to permit other Tailscale networks to have access to specific resources).
For the money you’ll spend on drives, you may be able to pay for a year of space at somewhere like www.storj.io, and use something like Duplicati to backup to them.
Because even with a shiny new NAS, you’ll still need backup for it when it crashes, something is accidentally deleted, a drive hiccups and loses data, etc.
If you already have some stuff sitting around, spin up an UnRAID/TrueNAS, but still have a backup solution.
Simplex - requires nothing, just install. But you connect with other people by sending a code outside of SimpleX. Though they’ve added a directory service for groups.
XMPP
Wire (not Wiremin), though it requires an email account, which is easily addressed with a disposable email.
Signal is very secure from what I’ve read, despite the phone number identifier.
On the flip side, direct open ports to your home network isn’t really a great idea anyway.
At one time it wasn’t as bad, but today I’d be hesitant because of the number and capability of bad actors and I’m not a network security expert (though I have a lot of training in networks, just shy of that kind of expertise).
In a way, these restrictions have promoted the use of even more secure approaches, like using Cloudflare tunnels, VPS’s with VPN connections to your network, or things like Wireguard/Tailscale, which provide a virtual (encrypted) network layered on top of the public (untrusted) network.
All of these can provide an externally controlled (secured and encrypted) access to specific resources within your own network. As mentioned, VPS with VPN, Cloudflare tunnels, or Tailscale Funnel or Share.
It’s nowhere near as convenient as Telegram, the clients on each OS are at best OK.
Show me conversation history when I login to Signal desktop. Oh, yea, it doesn’t do that. Is there even a web login?
From a typical user standpoint, Signal looks like text messaging, and that matters to them. And it’s not simple to manage.
Signal is coming along, and I look forward to when it’s mature enough that I can get people to use it (again). But they also made a massive mistake in dropping SMS support. That was my best tool to get people to switch. When they dropped SMS, those folks all left signal.
My cable modem consumes about 10-20w (I’ve done monitoring). This while a single file server is continually backing up to Crashplan (about 700GB this month so far). So I don’t even see my cable modem in my power bill.
My file server is much worse - on average it’s consuming about 100w (or 2400wh/day). I’ve done the math several times, that’s about $1/day. It’s the box that’s syncing with all my devices, and then backing up to Crashplan.
Tailscale just solves so many these types of problems.
With a virtual network, you mo longer need tools that work over the internet - just use the same tools as you would on a LAN.
I’ve used Hamachi this way on windows since about 2006. I’ve waited for an Androidi/iOS client, but it never appeared. Glad to see Wireguard/Tailscale step in to fill that gap, and it’s self-hostable!
Yea, they all suck that way. I still use my own router for wifi. It’s just routing, and your own router will know which way to the internet, unless there’s something I don’t understand about your internet connection. See my other comment below.
Yea, requirements mapping like this is standard stuff in the business world, usually handled by people like Technical Business/Systems Analysts. Typically they start with Business/Functional Requirements, hammered out in conversations with the organization that needs those functions. Those are mapped into System Requirements. This is the stage where you can start looking at solutions, vendor systems, etc, for systems that meet those requirements.
System Requirements get mapped into Technical Requirements - these are very specific: cpu, memory, networking, access control, monitor size, every nitpicky detail you can imagine, including every firewall rule, IP address, interface config. The System and Technical docs tend to be 100+/several hundred lines in excel respectively, as the Tech Requirements turn into your change management submissions. They’re the actual changes required to make a system functional.