Part of setting up the component involves entering your URL, so it points to my.domain.com which is fed via port forward to HA. In my case I have nginx in the middle of that, but I think the concept is still the same. Any component that requires you to enter your HA URL I am assuming isn’t going to work through a VPN and thus still require an open port straight to HA. Again, don’t mean to derail here, just wanted to make sure it’s clear and I’m not missing anything. I feel like I’ve seen a handful of components that work like this, but Google Assistant is the one that stands out and I’m sure is fairly widely used.