I recently moved my backup server to my brother's house. Both are running Debian 12.

Right now, I have a static IP and his router is configured to only allow incoming SSH traffic from my IP address. (I think this is fairly secure?) And when my rsync job runs, it calls out to the Let's Encrypt DDNS name that his router registered with Asus. I have tested this and it's working PERFECTLY.

In the coming months, I'm probably going to be switching ISPs and will no longer have a static IP. If my IP changes, I won't be able to adjust his router to allow only my, unique IP as the source so I'm guessing I'll need to install Zerotier or Tailscale on my main server at my house and the backup server at his house so they can talk to each other for the backup job. I run Plex on my main server... will this cause any problems? Which one of those VPN services is DEAD SIMPLE to setup?

Or is there another way I should go about this if/when I switch ISPs and no longer have a static IP address? I used the ssh-copy-id to copy my keys to his server.... does that mean my unique keys were copied and it's safe to open the inbound ssh port forward to the world as only I would be able to authenticate to my remote server?

Yes, I'm a Linux newbie....especially when it comes to securing ssh.

I think I should also start reading up on fail2ban as well as an extra layer of security.

The Asus router (depending on age) might have a VPN server built in. If so, I would pick OpenVPN if that is an option since installing a client is fairly easy and you can use nmcli to connect in your backup job. Using ssh keys only is safe.

I do it the other way. I run rsync on the backup ‘puter and pull the data from the production box.
The backup server has a dynamic address, the production server has a static IP.

(I actually use rsnapshot, which uses rsync over ssh)

His router is a newer model and has built in support for Open VPN but I think for now, I might just go with locking the source IP for the inbound rule to my IP address because I'm working on nailing down another problem and don't want to muddy the water. Will post about THAT issue here in a minute.

But I think I'd have the same problem. If I had the remote server at his place pulling from me, I'd need to lock the inbound traffic to a single IP on my router (to be safe) and he definitely doesn't have a static IP.

If you connect to your box from his box using SSH keys, you're "locking down" the connection between the computers themselves. The keys identify the hardware at the other end of the connection*...they don't care how the connection is made.

If the dynamic IP of my local "pulling" server changes, the connection and snapshot still works, and the keys provide the validation.

*"Hardware" in the sense that the key stored on the remote machine matches the key on the local machine.

Set up OpenVPN or WireGuard on the server (i.e: NOT at the router) at your brother's house. The remote client computer will be able to connect from any IP address without any trickery.

Tip: Use a high (UDP) port number.

Thank you for the clarification.

That sounds like a good idea indeed, thank you. I also might add fail2ban to the mix as well.