zfa

You can either point the first proxy to the second proxy, or point it to the backends directly. Depends if you have firewalls in the way that stop the VPS proxy reaching your backends directly; or if that internal nginx instance is dong anything clever like handling auth, adding headers etc. etc.

In your instance I'd more likely have the VPS locked down and unable to access my internal resources and just open up its access to my internal nginx instance. Therefore chaining proxies would be my approach but there's no right or wrong.

I'd go for an ESP8266/ESP32 with a telegram bot and LED (based sign) hanging off it. Just send a msg on telegram to turn it on/off.

That having been said loads of ways to trigger the sign status - it could poll a website to see what status it should display and you have a mechanism of updating that status yadda yadda yadda.

Note that those little chips needs wifi so you'd need to be able to connect it to wifi and have it get public internet access (or whatever you decide to control it). Loads of posts/youtube exist about driving WS2812 LEDs, or making your own DIY LED 'neon' signs. Cool little projects.

I assume you already have DNS=192.168.0.1 defined in your client WG config (or whatever DNS server you use at home)?

What makes you think this is the case?

A DNS leak test showing Cloudflare could just be that is the upstream resolver in your AGH config, for example.

Provide your phone model and Android version, I've never heard of the DNS being unchangeable. Bonus punts if you can post a screenshot of your phones 'private dns' settings.

Not sure about Roku, that might be asking too much, but Retroarch is the daddy of emulation frontends and I've seen people run that on Android boxes with ROMs just read from a NAS via SMB. It's available on most platforms you can think of.

There's also dedicated gaming OSes (which will run on many generic S905ish AndroidTV boxes as well as PCs etc) which serve as prettier wrappers to that and other emus, my personal preference being Batocera if you whole-heartedly wanting those client systems to become 'retro gaming systems'.

KODI + IAGL would also be a workable soln on all platforms which have KODI, that can run the games directly from archive.org so negates need for the SMB share.

There's also lots of retrogaming-adjunct subs where this will be answered better than by us nerds here too.

I'd have the clients connect to the central server in a hub-and-spoke VPN topology using something like WireGuard say.

Use the central host as either a jumphost or configure your personal devices to also connect to it via VPN and have it handle routing so you can connect directly to the clients once you're connected to the central server.

Thid is a somewhat standard topology so no need to reinvent the wheel.

Cloudflare Tunnel's cloudflared links your home to two closest data centres and so should (?) be quicker, but response times would depend on where a user is accessing your service from.

However, given residential ISP speeds and peering in most parts of the world you'd be unlikely to notice any real difference between the two and other than that 'last leg' access tech the processing within Cloudflare's flow is the same whether you use cloudflared or direct proxying.

Not sure why no one has pointed you to the actual product Cloudflare have for API security - Cloudflare API Gateway (and API Shield).

You can kinda-sorta-not-really fudge control with a combination of Access Policy (or exclusion rules for that) and Firewall Rules, or even tack on Access control via JWT etc if you want though.

Withuot any of those just consider it having been made 'public' to the internet at large and secure accordingly.

Please follow the /u/jerwong advice.

I know, I know 'BuT It's NOt seLFhOStEd!' but I just let the pros deal with bots and front that kind of stuff with Cloudflare.

If you've privacy concerns you can always have that one thing on a specific subdomain and only enable Cloudflare on that, whilst keeping the rest of your subdomains unproxied.

Alternatively can't you add a capture (again, giving up a bit of privacy).

No worries, HMU if you need anything else but the docs are stellar and once you get your head around the concept and have a play I'm sure you'll find it just set and forget. GL.

You can either point the Cloudflare Tunnel directly to the backend, or point it to the service on NPM and keep that in place proxying to the backends.

Whilst the latter seems to duplicate functionality, it does allow you (down the track?) to have local access use the same hostname as public access by defining local DNS entries for subdomain.example.com which point to the NPM IP address (instead of resolving to Cloudflare's IP address when looked up on public DNS servers).

I would think most homelabber/self-hosters end up with that topology as opposed to having everything have to go through Cloudflare even when its purely local access at home.