For my home security/automation installation business, I am trying to develop a solution for providing remote access to "internet of things" or "smart" devices. Basically, we have these smart devices which are connected to a router to create a private network. Also connected to this router are iPads used to control these devices using an app. This router is then connected to the customer's primary router (usually supplied by the ISP), so we essentially have a double NAT.

I would like to allow secure remote access to the system, so that the customers can remotely control the system using their smartphones. I have thought of a few possible ways to do this:

1. Port-forwarding: This is a no go because it requires access to the ISP router which could be reset or replaced without our knowledge.
2. A reverse proxy service such as ngrok.com or pagekite.com: This is probably the best solution but it would require some sort of always-on hardware to run the ngrok/pagekite client and connect to an external server.
3. Site-to-site VPN from our router to an external server: I am not sure if this even makes sense, but if possible it would not need any extra hardware.

Any advise would be appreciated.