Why not use Tailscale on each device?
No need to expose any ports, no need for a bastion, no need for any complicated method of retrieving their public IP address, can use ACLs to restrict their access to other devices on the tailnet (if they’re tech-savvy enough to go looking at the tailnet in the first place).
Essentially, as long as they have internet and Tailscale is running, you’ll be able to connect to their device without exposing anything over the internet.
I’m guessing it’s this https://www.emma-sleep.co.uk/