![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://lemmy.dbzer0.com/pictrs/image/a18b0c69-23c9-4b2a-b8e0-3aca0172390d.png)
VPN and have them punch in to a cheap or free cloud instance that acts as a hub router.
You give them a config file and they feed it to their device or router, use a private subnet in the 10.0.0.0/8 range because everyone is on 192.168.1.0/24 and then they just hit it at 10.0.0.1 or whatever.
I like Wireguard but you might have to use something with layer 2 support if you want service discovery to work for true zero config.
Even with external volumes, I don’t think there should be any mechanism where a container can escape a bind mount to affect the rest of the host fs? I use bind mounts all the time, far more than docker volumes.