My recommendation: host OpenVPN, change the default port and only access your NAS from the internet using your VPN. Also only allow the VPN port on your router firewall.
If this, then I would highly recommend Tailscale or Headscale. Just simplifies this process so much. Tailscale is so darn good, my number one tool of choice.
Yeah definitely a good idea. Routing your mobile traffic through it so your carrier cannot access your traffic and the services you don’t want to share location with can’t snoop as much on you.
Depends on your router. I have an Asus and it has a free ddns option through their domain. I point my Wireguard client at this address and never think of it again. That way, the only port that's open on your router is a Wireguard port and they don't respond to sniffing.
If that's not a possibility, I had a ddns service before that for like $2/month
maybe is specific to my country, but here the majority of network plans have a CGNAT down the line.
So we have a private ip at the router and there is no way to reach it, unless you reley the traffic to a third point.
if you want a public ip (even dynamic) you need to pay up
DDNS doesn’t do tunneling. DDNS is a solution to a changing public IP, not something like CGNAT. You’d need a separate service with a relay server to do something like what you’re suggesting, like how Zerotier or Tailscale work.