Reverse Proxy + HA

Trying to understand Reverse Proxy (vs Port Forward). Nginx supposed to be more secure than IP forwarding on router. Closest I could find to what I want is this:

I have home assistant one one server and some apps on another server.
Main requirement is i do not want to run/need software, on a client, to access my HA instance & apps.
My router is connect to my ISP and I get a dynamic IP from that.
So I setup DDNS and my router provides the DDNS updater.
I would like to use a Digital Ocean Droplet to install nginx and then access my HA / apps via DDNS.

But, I’m confused here because :-
Am thinking that DO droplet nginx would need to forward traffic to my network via my router, using my router DDNS IP. On my router, I would need to open ports for my HA and apps - for example, 8123, 80, 8080, 66668 and 88888 (latter two being random ports running webapps). These ports need to be forwarded to relevant internal IPs on my LAN. So what is nginx giving me and/or how is it protecting me given that ports on the router still need to be open and forwarded anyway?

Or

Could I run a VPN server on the DO droplet in addition to nginx, and then forward traffic to different VPN clients dependent on the URI passed to nginx - I wouldnt need to open any ports on the router other than required for VPN. So I might send http://do.droplet.ip/app1 and nginx would forward that to 10.19.49.2 , http://do.droplet.ip/app2 would get forwarded by nginx to 10.19.49.3 — or is all that insecure?

I’m probably misunderstanding it all.

If you use a reverse proxy, you only need one external port open even if you have several different services that you want to connect to remotely. For instance, I have remote access to three of my docker containers (one of them being home assistant) but I only have port 443 open externally.

Em I see. And the URI is used to select the destination server?

I think I’ve found the answer … something like this would be perfect. Is it “safe”?

There’s no simple switch saying “make safe” :wink:

If you set it up correctly, it’s safe. However the same can be said for anything. It’s the approach I use, because you can do more filtering and security on the proxy server if you want to.

Sorry, should have asked "is it safe, for nginx, running on same node as VPN server, to forward traffic to a VPN client, effectually a Bridge from WWW to VPN.

sorted anyway, lots of examples on the net of this.