You might try Tailscale or Wire Guard. Either can be used to create a mesh VPN that can include any device you want. Connect your devices to the VPN then you just access it like it is on your local network. Of the two I use Tailscale. Dead simple to setup on pretty much any device.

I looked into Nextcloud, but that requires paying for a domain

Depending on what installation method you choose to go with, you don’t need a domain. It’s just very much helpful to have one. Especially if you decide to have it public facing. Plus domains are cheap. A bigger issue for us self hosters is dealing with dynamic IPs. Most of the time you can buy a static IP from your ISP, but if that is not an option, most domain providers provide a way to deal with variable IP addresses.

And yes, Tailscale does ignore dynamic IP addresses. I think Wire Guard does as well as Tailscale is built on Wire Guard.

but that requires paying for a domain

You say that as if (normal) domains are expensive. You’re gonna be paying a lot more for electricity for your NAS than a domain. If you don’t need anything recognizable which you just want to use for yourself, you can even get a 1.111B class domain (000000.xyz - 999999999.xyz) which are just $1 per year. It’s a much better option than a dyndns service because you can actually do whatever you need to with the domain.

VPN

Yes it’s easy, install WireGuard in a container, port forward to it and copy the profile to your other devices.

When you connect to the WireGuard network on the second device, you’ll have access to your internal network and hence your nas.

I also use a reverse proxy so I can remember computer names rather than ip.

I use SSH with port fowarding to securely access my services running on my server to anywhere I have internet. Its easy to setup, just expose any device running a ssh server like openssh to the internet, probably on a port that isnt 22, and with key only authentication.

Then on whatever device you want to get your services on you can do like

ssh -p 8022 -L 8010:192.168.75.111:80 user@serverspublicip

Where 8022 is the port of the ssh server exposed to the internet (default is 22), 8010 is the port its gonna bind to on the device you are using the client (it will bind to 127.0.0.1 by default), 192.168.75.111:80 is the address/hostname and the port of where your services are on your local network, and user@serverspublicip is your username and the ip address of where your ssh server is.

You can also use ssh to make a SOCKS proxy in your network like this

ssh -g -D 1080 user@serverspublicip

This will make a socks proxy into your network on your device at 127.0.0.1:1080. All of this can also be done on just about any mobile phone running android by using termux.

I use Wireguard VPN with DuckDNS. No need to buy a domain, I just made a name for local use like nextcloud.rudee.com. Even though domains are not expensive (can be 10-20$ a year, but there are also free otions like rudeenextcloud.duckdns.org). You might need reversy proxy like Nginx Proxy Manager unless you want to type IP:PORT

Domains can be free and several of them works flawlessly with DDNS for home hosting. You can set up a completely free Nextcloud. Self-signed certs and direct IP access works as well.

Somebody else mentioned setting up a VPN to your home LAN, that works fine too.

If you have a public IP and can forward ports, exposing SSH (with key-based login) is quite safe. You can browse the server storage and copy files to/from your phone.

If you can’t open ports you will need something that punches out of NAT and intermediates a connection to your phone. Simplest way is to use a service like Tailscale, you install and start it on both the server and your phone and they will see each other from wherever they are.

Nextcloud is simply software that runs on something. You might use DNS to find the something that your Nextcloud runs on … or not. A domain can cost as little as say £10/year (no details given - loose costing provided!) but you say you don’t want one.

You could do some weird stuff involving something like this: Your clients update a database on the server with their current IP address(es) and the server reciprocates in kind regularly.

For an internets conversation, both sides need to know IP address, protocol, and optionally port; for both ends. For example, a webby conversation might involve:

My end: 192.168.100.20/24, tcp port 2399 -> NAT -> 33.22.4.66, tcp port 2245 Remote web server: 99.22.33.44/37, tcp port 443

Now, provided both sides are warned off about changes to addresses and port numbers on a regular basis, then comms will still work.

Say, your home external IP address changes, then your browser writes that new address to the remote server and comms continue. Provided one end knows all the details of the other end at any point in time and can communicate local changes then we are good.

000000000000000000000000000000000000000000000000000000000000000000

Maybe not. Lookup: Dynamic DNS.