Say your toaster’s globally routable address is 2001:db8:1234::f00d. Get your toaster a domain name that it can update dynamically. Then open a hole in your firewall to allow incoming connections to 2001:db8:1234::f00d. Then have the toaster request a domain name from LetsEncrypt.

Now you can access your toaster securely.

Unfortunately this couldn’t be done in a fully-automated manner, and your toaster is now listed on Shodan (and therefore liable to start printing obscene images on your toast).