Yeah an SSH tunnel or wireguard between them would be the easiest option to avoid needing to set up mTLS to have HTTPS between them.
mTLS is possible, but it’s a bit of a hassle to set up initially. Here’s a guide for that if you want to give it a shot tho Use Caddy for local HTTPS (TLS) between front-end reverse proxy and LAN hosts