I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.
Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.
It lets me expose services publicly without any inbound port forwarding on my home connection.
The article makes sense. I think it’s good to note that if the services you’re running makes outbound requests (e.g. a Matrix homeserver), you could also tunnel outbound traffic to the same VPS as your inbound, so your residential IPs won’t be leaked.
I’ve written about a similar setup, but for Tailscale nodes, here.