Or just setup Tailscale, which takes about two minutes.
Tailscale runs on WireGuard and therefore requires elevated permissions on each client device. That shouldn't be required for simply proxying a local port.
Does Tailscale offer domain registration and TLS certs?
Also, is there any way to allow public access to certain ports on certain machines, ie if you wanted to run your personal blog on your RPi?
I think there is a userspace version written in Go that shouldn't need root access.
Unless I'm mistaken, wireguard-go[0] only runs the WireGuard protocol code in userspace rather than the kernel. It still requires configuring network interfaces which requires root.