I have used Tailscale in the past, and really like it but I had problems at the time where there wasn't a 23 Ubuntu image so I ended up setting up Wireguard on my OPNSense firewall. I have four hosts I use to remote in, everything has been great.
I am now contemplating how to setup some changes I am making.
I have a lot of remote servers which I manage them all via SSH and have no issues. But I am looking at moving a few services from my LAN to WAN. Specifically Uptime-Kuma and CheckMK, as well as a few other things that I don't want to go offline if I lose power during winter storms.
I don't feel comfortable exposing these services to the Internet, so I was thinking I would use wireguard to allow direct access while I am on my LAN. Obviously, Tailscale would be super easy solution. I really don't want these remote servers (rented dedicated servers and VPS) having direct access to my LAN.
I was thinking I'd create a new Wireguard interface, and only allow outbound traffic on it. This way I can access these machines but they can't get on my LAN. I currently use SSH port forwarding when I need to access a web interface remotely and this works great but I got to open up a ssh connection before accessing the website. I like being able to just click on stuff through my Homepage dashboard.
Now that I am adding some new remote servers, I want to set this up right. I feel like setting up Wireguard in OPNSense is the most optimal solution for performance and security, it is just not as easy.
I am considering Netmaker, Tailscale, and my personal favorite option OPNSense.
tldr; I want to set up a wireguard dmz for remote servers so they can't access my LAN while keeping my road warrior trusted wireguard interface that do have full acess. I am using OPNSense.
Why not Tailscale with ACLs to restrict the access that the VPS boxes have access to?
https://tailscale.com/kb/1018/acls/