Yeah, any solution is going to require at least egress rules for its traffic. Tailscale is a bit different since part of what it’s able to do is provide access to your LAN, if desired. Cloudflare just needs two ports, but it’s only providing a tunnel from the host.
Ah, so you haven’t been a sysadmin at all through the last ten years of watching fucking security updates get stuffed in a subscription. Unless you think hardware subscriptions are something new? Cause that’s also old hat to anyone who runs anything professionally. We know. This is just rent a center for gamers. The only way to win is not to play. But in this case, it’s SUPER easy not to play.