Any reason you can’t use a locally hosted VPN? That would be my solution for something like this. Either use tailscale or use a wireguard VPN and a dynamic DNS service.
Later on I might consider adding some PiKVMs in order to be able to more safely reboot/troubleshoot/access BIOS.
With a sandpaper tongue and diamond studded grilles.