Nip46 signer (which is what nsecbunker is) does not need a tunnel. it does not need a public IP, does not need a reverse proxy.

Nip46 client sends requests to some public relay, and signer reads those events from public relay, signs, and sends replies to the same relay, which client reads. Nsec.app runs this nip46 signer in your browser service worker.