I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.
Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.
It lets me expose services publicly without any inbound port forwarding on my home connection.
https://github.com/wg-easy/wg-easy
Needs like 100MB RAM to run, so it can basically run on almost anything. If you like some extra security: Do another layer of authentication in the reverse proxy that faces the internet.