chiisana

If you can serve content locally without tunnel (ie no CGNAT or port block by ISP), you can configure your server to respond only to cloudflare IP range and your intranet IP range; slap on the Cloudflare origin cert for your domain, and trust it for local traffic; enable orange cloud; and tada. Access from anywhere without VPN; externally encrypted between user <> cloudflare and cloudflare <> your service; internally encrypted between user <> service; and only internally, or someone via cloudflare can access it. You can still put the zero trust SSO on your subdomain so Cloudflare authenticates all users before proxying the actual request.

deleted by creator

There is only one router on your network. It routes traffic from one machine to another. This is typically also the gateway, and it only has so many ports.

If you want more physical devices connected to your network, you’d need switches to fan out your network.

Un-managed switches essentially takes packets from one port and pass them through another port, easy peasy, nothing fancy.

Managed switches, however, can do more than just take packet from one port, then push it out to the other side. You can set up link aggregation for example, allowing more throughput by using two or more ports to go to the same destination (maybe for example a central file server). You can have L2 vs L3 switches so they route differently. You can have multiple paths to reach another machine, for redundancy but must implement STP to prevent broadcast loops etc.

Once your network grows larger than just Internet for a couple of desktops, it gets a lot more interesting.

Changing port is security by obscurity and it doesn’t take much time for botnets to scan all of IPV4 space on all ports. See for example the ever updated list that’s available on Shodan.

Disable password login and use certificates as you’ve suggested already, add fail2ban to block random drive-bys, and you’re off to the races.