Ways to make internal s3 package registry reacheble from outside

Hello! I have github enterprise with minio s3 as a package registry on the on-prem infrastructure. Our github server is accesible from the internet and minio not, so I can use the package registry only from internal network which also means that action runners installed in different places won’t have opportunity to pull images from registry.
Recently we got a separate staging infrastructure installed with some self-hosted action runners inside, also it seems that some external customers will need to run ci jobs on our github installation and will need access to our package registry as well.
So, what is the best way to make our package registry accessible from outside of on-prem network? Should it be Docker proxy for minio with public ip (not shure if its secure enough)? Or maybe it would be better to let em come into on-prem network via VPN? What are the best practices now?