That is what I ended up doing, I wrote a blog post about it some months ago [0].

The gist of it is using private dns and exposing services only on the private network. Implementation details can vary, you decide whether to use tailscale or bare wireguard, and any reverse proxy and dns server will do. In my case, I use Tailscale, NextDNS, and Caddy.

[0]: https://garrido.io/notes/tailscale-nextdns-custom-domains/