Thanks. Plain Wireguard is an option I’m considering, but it’s also considerably more hassle to configure and maintain, especially as I connect more family members to my network. Headscale also has an extra layer of security in the form of ACLs, which I plan to use on top of basic firewall configuration. I do connect my personal machines with Wireguard, but I use one family member as a Tailscale/Headscale test subject.

As for SELinux, I’ve gave up on it already. It caused me so much headache over the years I disable it with a kernel parameter by default on all machines.