I wouch for the VPN route… VPN servers are built to be exposed, are hardened/engineered to resist the harshness of the net and are somewhat safe even with default settings.
Should you publish on the wild a few web apps, you would have to harden, monitor and manage a bunch of environments and/or frameworks with a load of quirks each.
A VPN is easier to maintain and safer for your data with a lower effort.
my home router is the stock one from my isp and have no vpn capabilities.
I put a port forward on the router and then configured everything on the internal node; in my case it is an opnsense vm running on proxmox.