Vaultwarden and Port Forwarding


i am running Vaultwarden as HomeAssistant-Addon. I created a duckdns domain and also got a certificate from Letsencrypt via certbot. Then, I forwarded the vaultwarden port 7277 permanently to the VM where HA/Vaultwarden is running.

Everything is working fine, including iOS App.
My question is: is this the “way to go” or does this permanently forwarded port pose a security risk? If so, what are better options? I stumbled across nginx as reverse proxy. Would this be a better solution? As far as i understand, even in this case one has to forward ports to the nginx server, so I dont see an advantage there.

Thank you very much in advance!

Best regards

The advantage of reverse proxy is you only have to open one port vs individual ports for each service.

Thank you very much for your answer!

How is this done? Is the proxy accessed by different subdomains and depending on the subdomain the port to the proxy is „dynamically“ translated to the correct port inside the network?

How is the whole SSL stuff handled? Is there a certificate for each subdomain? Is there some kind of tutorial for this in conjunction with duckdns?

Thank you very much, your help is much appreciated.