About a year ago I set up a local gitlab server, in our office, on our private network. It was perfect for us at the time, because we hoped to restrict access to just ourselves. We already had a virtual private network allowing people working from home to get to it.
And then, about a month ago, we started working with some third party developers who needed access. We considered whether we should grant those developers access to our virtual private network. We decided that was not a good plan.
Instead, I migrated our source repositories from our local gitlab server to private repositories at https://gitlab.com/ The migration was flawless. The security is good. We granted access to our third party developers on the gitlab.com server.
Using the public server is so easy I’m sort of kicking myself for wasting time with the private server. But, we had good reasons for it at the time.
In your case, to grant access to your private server from outside your private office network you have some choices:
put that private server on a publicly accessible IP address. Without knowing anything about your office router, it’s hard to offer a precise procedure for doing that.
get a virtual private network running, so people with permission can access your private network from afar. That’s not a small project, especially if you’ve never done it before. It’s quite a bit larger than building out a private gitlab server. Again, it’s hard to offer precise procedures without knowing a lot about your office network.
move your private server to a data center with public IP access. You could probably use a service like AWS or Digital Ocean to run a virtual machine for you for around US$10 per month.
In my experience, the path of least future hassle on this is to use https://gitlab.com/ and get out of the private gitlab server business. Personally, I’m lazy, so I like “least future hassle.”
Security wise, operating your private server on a publicly accessible network has some downsides. You’ll have to worry about cybercriminals from around the globe rattling your server’s virtual door handles to see if there’s any way in. If, heaven forbid, they do get in you’ll have to figure out how to lock them out again without losing too much intellectual property.