Not OP, but I just use ZeroTier for this since it’s dead simple to setup and free. I’m sure there’s some 100% self-hosted solutions, but it’s worked for me without issue.

I never open any ports to the open Internet other than the two my friend client uses.

For remote access I use a P2P VPN called ZeroTier leaving it always running on the Pi, and switching it on for the remote device when needed. It’s free for up to like 50 users and is very powerful, but dead simple.

I usually just run a ZeroTier client on my Pi connected to a private P2P network to solve this issue, and then have ProtonVPN over Wireguard for all internet traffic in and out of the Pi.

I have a Pi 3B+ I run qBittorrent, Plex, ProtonVPN through Wireguard, and a Samba share on and have had 0 issues. It’s connected to a 2 TB external SSD which is where the Plex media library lives and coincidentally where qBittorrent downloads to by default wink wink. I also have a P2P VPN called ZeroTier that allows me to securely connect to the Pi from anywhere. You should be golden with a Pi 4.

I’ve had zero issues even transcoding 4k BluRay content, but it required adding active cooling to prevent the Pi from overheating. Thankfully you can get a tiny heatsink and fan for under $10.

Edit: Accidentally said RPi 5 which didn’t exist… Fixed.