I’ve never used tailscale but use wireguard extensively.

There’s not much of a learning curve for you as the administrator. You have to discard some misconceptions you might bring from other VPNs but really after 30 minutes of looking at configs you’ll get it.

I use wireguard for my small team of 5 people to access self hosted services. You install wireguard, load the config, and then it just works.

The trick, if it can be called that, is using public dns for private services.

On your server, suppose you have service-a service-b and service-c in containers with ip addresses in the 10.0.2.0/24 range. Then you’d have a reverse proxy like traefik at 10.0.2.1. You’d also create a wireguard container with an IP in that same 10.0.2.0/24 range, and configure it’s wireguard adapter to be 10.0.12.1 or soomething so you have “2” for the containers and “12” for the wireguard clients.

Then in wireguard configurations you direct all traffic for 10.0.2.0/24 through the tunnel but everything else just uses their devices normal internet connection.

Finally create a public dns record pointing to the reverse proxy like *.mydomain.com > 10.0.12.1

now whatever.mydomain.com will resolve to your reverse proxy but is still only available to devices connected to the wireguard container on your server.