For years my remote access was a small collection of forwarded ports and a dynamic DNS name, held together by optimism. SSH on a non-standard port, a reverse proxy for a couple of web things, a VPN I kept meaning to harden. It mostly worked. It also meant my firewall had open doors facing the internet, and the logs were a steady reminder of how many people scan port 22 for fun.
I switched the lot to Tailscale, and I'm slightly annoyed at how much simpler my life got.
The pitch is straightforward: every device joins a private network, a tailnet, with WireGuard underneath doing the actual encryption and the coordination server handling key exchange and NAT traversal. Nothing listens on the public internet any more. The forwarded ports are gone. My firewall's inbound rules are back to denying everything, which is how a firewall should look.
The thing that sold me was the bits I didn't have to do. No certificate juggling for the VPN. No fighting with CGNAT, which my connection now sits behind and which had quietly killed inbound forwarding anyway. Tailscale punches through it with DERP relays when a direct connection isn't possible, and you mostly don't notice the difference. I expose my home network's subnet through a subnet router so the things that can't run the client, the printer, a couple of IoT bits, are still reachable.
A couple of practical notes. ACLs are worth setting up early, even for a home tailnet, because the default of everything-talks-to-everything is convenient until it isn't. I tag my devices by role and write a small policy so my laptop can reach the servers but the IoT subnet can't reach my laptop. And MagicDNS means I refer to machines by name rather than memorising tailnet IPs, which removed the last reason I had a hosts file.
The trade is real and worth naming: I've handed key coordination to a third party. For a homelab I'm comfortable with that, the data plane is still WireGuard between my own devices, and if I ever change my mind there's Headscale to self-host the control side. But I haven't, because the managed version has been genuinely boring in the best way. It just works, my firewall is shut, and I've stopped thinking about remote access entirely. That was the whole point.