Tailscale Mesh VPN
I have had WireGuard setup for a short period of time on my OpnSense firewall, I stopped using OpenVPN years ago and did not have a home VPN solution after that. Mostly I wanted a new solution to have my Oracle Cloud nodes on the network and Realm but also so I can obviously access my home network from my laptop or phone. Wireguard is OK, but an absolute beast to setup or understand without scripts.
About Tailscale
I saw someone start using "Tailscale" and they recommended it so I started taking a peak at the idea. It has a nice hosted dashboard to view all of your machines but you can self-host a Headscale controller if you are intent on not using SaaS.
Tailscale is built on top of WireGuard but it is more like ZScaler, using a mesh networking model without all the proxy shenanigan's. You can see Tailscale's comparison here.
Deployment
Deployment is stupid simple and I was up and running quickly.
The "proper" method to use Tailscale is to have agents on every node that will be part of this Tailscale network, they will all talk via this network. That is fine and dandy for my phone or my cloud nodes but I don't really want to install and manage agents on every server at home, I am also concerned about how routing could occur between all these nodes once they have multiple paths available. I want this solution to still act as a normal VPN gateway into my network from the outside, to suit this paradigm Tailscale offers Exit Nodes.
Essentially an Exit Node is a designated node behaving like a traditional VPN server. I will be using this method on a Pi, my idea is that this will be independent of my hypervisors should they have issues and need remote troubleshooting.
Setup of the exit node on my Pi was as painless as any other node. Aside from the forwarding rules provided in the documentation you will need to enable masquerading. Tailscale tells you how to do that for Firewalld in the docs, but I abhor any iptables wrapper. To do your masquerade in iptables use.
sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE