I was following that guide, got stuck when trying to get the client.key file. So I contacted their support to get advice and they said that dedicated IP will not work with pfsense. So stopped trying…
CGNAT so dynamic DNS won’t be of usefulness here.
I will do that, thank you for the reply
I have cancelled purevpn, if their support says it won’t work then I won’t waste any time, plus it’s not exactly good business if their support staff are wrong 
Yes.
The EC2 instance basically gets a static IP from Amazon. Have your home pfsense connect to the EC2 instance with either IPSec or OpenVPN (that is to say if you use IPsec, set the EC2 instance as responder only, if you use OpenVPN set up the EC2 instance as the server side). Make sure to set appropriate EC2 network security rules to permit the appropriate traffic. Configure appropriate firewall rules between the EC2 LAN network and your home network where the server lives.
Assuming you want to use https to talk to your server, set up Let’s Encrypt on the EC2 instance and configure it to get an appropriate cert. Configure an HAProxy backend for your server at home - you could use just http here and be OK as traffic from your house to EC2 is protected by your tunnel. Or you could just use https, up to you. Then set up an HAProxy frontend to listen on https (set both pfsense wan firewall rules and EC2 security rules for this, too) using the LE cert you set up with a default backend of the backend created above.
It is possible that there will be heartburn with making HAProxy talk across the tunnel using the inside IP address properly. This document has some guidance on how to overcome that: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html
You can totally do this with a VPS and then a VPN tunnel. I actually do this with WireGuard tunnels between a VPS and my home lab. I have several “reserved IPs” that I can assign to local services on my home-lab network, routes for these get shuffled up to the VPS provider via OSPF over WireGuard and then announced via BGP using FRR on pfSense. It’s configured in such a way that if I need another address, I just reserve another IPv4 address, create the route on my home-lab pfSense box, and the rest is handled automatically.
So it doesn’t matter what ISP is used for the WireGuard transport (i.e. it could be cable, 5G, Starlink, etc.), I can always reach into via the static address.
https://www.netgate.com/pfsense-plus-software/how-to-buy#AWS
https://aws.amazon.com/marketplace/pp/prodview-gzywopzvznrr4
I don’t remember exactly which guide I used, but I’m sure there’s plenty out there.
I did a long time ago but I see no reason that it would’ve changed. I use it for my RPi as a jumpbox and VPN server now.
Ah yes so nothing can be hosted without using a tunnel, or something clever like PCP. Dynamic DNS can probably still be used with the VPN though if the static IP is a challenge.
I see, I kinds grasp it.
So I subscribe to a vps. Set-up pfsense on the vps box. The vps box has it’s own static IP, I setup open VPN on the vps and use these certs on my home psense router.
The home pfsense router has openvpn configured to use the vps certs. I setup a openvpn connection to the vps, using firewall rules to pass traffic viah the vps gateway?
This could be an overkill solution, or a hybrid of recommendations, it might even be a slow/high overhead solution. Idk, but you could keep your current nextcloud setup, just get a vps and setup a VPN, then just connect your nextcloud instance to it?
Just spitballing here though. Might be a crap experience, idk.