Greylog is a syslog aggregator that might do what you’re looking for.

I’d only have two nickels, but…

The exception here would be ESP32 devices. These have been some of the most reliable devices in my home and the most versatile, no Internet access required. Zigbee works well, but runs in the same frequency space as wifi and Bluetooth. Matter and thread are the new hotness and run in that space too. They all work well together, but something to consider. Z Wave is in a separate frequency space, but is a less open protocol. I have at least a few of all of these and they all play nice. Consider your priorities and choose what’s best for your application.

We shall say AI to you again if you do not appease us.

A layered defense is always best. Nothing is 100%, but knowing your threat model will help define how far you have to go and how many layers you want in the way. Defending against State level actors looks different than swatting the constant low effort bot traffic. You’re right, if a bad actor gets root on your machine, all security is forfeit. The goal is to minimize that possibility by keeping applications and packages updated and only allowing necessary connections to the machine. You mentioned wireguard or tail scale. Set that up first. Then set up the host firewall to only allow outbound traffic onto the VPN to the required ports and endpoints on the LAN. If the VPS isn’t hosting any public facing services, disable all traffic except the VPN connection from and to the public Internet both on the cloud provider’s firewall and the host firewall. If it is hosting publicly accessible services then use tools like fail2ban and crowdsec to identify and block problem IPs.

Firewall rules on outbound traffic from the VPS to the LAN would do it. Allow traffic to the hosts and ports that the VPS needs to reach and block everything else.

I like my Denon Heos setup: 2 TVs, home theater, receiver in my office connected to my computer and speakers in 7 other locations. Works great with Music Assistant, and doesn’t require a cloud connection. It can pull firmware updates if you want but I’ve blocked all Internet access for those devices with no loss of functionality.

The Disney Vault!

If the opnsense interface on the WAN VLAN has a public routable IP address there shouldn’t be a problem with double NAT. Double NAT should only be a problem if they have a crappy ISP that’s using CGNAT.

Edit: never mind, I reread your comment. We’re saying the same thing essentially.

He’s trying to run it on an esp32, didn’t you read the title? /s

Image server mangled by autocorrect? Best I can come up with.

Now I’m just waiting for Netgate to announce an end to CE so I have a reason to move to OPNsense. I’m lazy and it works so I haven’t taken the time to move yet. Weird for a company to EEE their own product.