ddclient paired with a supported provider.

I use afraid.org to keep my dynamic dns pointed at my routers ip. With afraid.org dns you only need a curl statement scheduled on the opendnswrt router to keep the dynamic ip updated.

Since you run already OpenWrt, you can check out https://openwrt.org/docs/guide-user/services/ddns/client

There is a list on this page of compatible services. If you don’t want to use one more service (DNS), you can use a domain registrar with an API (like porkbun) and find online tools that work with that.

Be aware of the risks of hosting your websites publicly from home, make sure to run them in very isolated environments. Having your VPS compromised is bad, but having your home network compromised is much worse!

If you go down the VPS route, a headscale server on a cheap $3.50 VPS would be the way to go. Wouldn’t even have to deal with IP addresses at that point, while still being able to self-host all your services, with the cheap VPS being a glorified switch/firewall.

I’ve used big names like ns1 and Cloudflare for free.

Cloudflare has an api for easy dynamic dns. I use oznu/docker-cloudflare-ddns to manage this, it’s super easy:

docker run \
  -e API_KEY=xxxxxxx \
  -e ZONE=example.com \
  -e SUBDOMAIN=subdomain \
  oznu/cloudflare-ddns

Then I just make a CNAME for each of my public facing services to point to ‘subdomain.example.com’ and use a reverse proxy to get incoming traffic to the right service.

VPS with a tunnel between it and home services (Wireguard/Tailscale, etc)in my opinion is Best Way as it isolates your home gateway (no open ports, because you make outbound connections to your VPS), and let VPS handle Identity and Access Management

(Or an equivalent isolating architecture).

Alternatively, Tailscale has a Funnel feature which can route public traffic into your Tailscale network. Though I don’t love this approach, it does work for low-volume connections.

I use digital ocean as dns host. They have an API, so I check my IP with a script and update if needed.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

[Thread #891 for this sub, first seen 27th Jul 2024, 19:35] [FAQ] [Full list] [Contact] [Source code]

If you can avoid it, don’t open ports in your firewall, don’t publish your home IP address, and keep everything behind a VPN. If only you and your family will be using these services, go with Tailscale or one of its competitors. Otherwise, VPS or cloudflare tunnel/competitor.

Script that checks your external IP and updates your DNS provider via API.

I think you got enough recommendations for several tunneling solutions.

Apart from that (and free DynDNS) you could also use a regular paid DNS provider. Some of them also offer DynDNS or an API. I think I saw some regular providers in the list of my DynDNS client on my router, next to the super cheap or free ones.

Namecheap domains include a dynamic DNS application for free and it works well. Be aware that it only runs on Windows.

You can get super cheap VPSs and use them just as a reverse proxy (with access via VPN). I host 11 servers using one single-core VPS as a reverse proxy. All data resides on premises, in house. I pay 10/yr for VPS. It definitely does not defeat the purpose.

Free Dyndns services seem to be a bit crap

Why do you say that? https://freedns.afraid.org/ and https://www.duckdns.org are very solid and if you’re looking for something more corporate even Cloudflare offers that service for free.