It’s a mesh for wireguard with DERP and MagicDNS so you can segment traffic, do availability groups, point to point all from the same service.

Read through the repo, but I have deployed this to a VPS and I am really happy with it

https://github.com/meerzulee/headscale-setup

It packages headplane which is similar to crossplane and has a pretty intuitive webgui. Just make sure it’s well secured, https, reverseproxy yadda yadda

Neither wireguard nor headscale nor tailscale will work through a cloudflsre tunnel and the wireguard/headscale server cannot be behind a CDN DNS proxy