Hmm yeah makes sense, I just can’t do it since then I would need VPN app and home assistant app running 24/7 lol. I need location for home assistant and both appa are too much for my wife’s iPhone. I might tey again but with gpslogger instead of home assistant for location.
I do this too, have acls setup for my main LAN ips and all my internal hosts setup in opnsense in hosts override so they get redirected to NPM. Not sure if this is the correct way but it gives me all valid certificates. You could also do domain override and redirect just that domain to your NPM.