[3np]

[Guix/Ansible/Chef/Nix/Puppet] + systemd-networkd + firewalld/nftables. It's not much different than setting up any old load-balancer or reverse proxy on an internal network.

Why not Docker? Since routes are kernel-level and shared between containers, using Docker here typically complicates things rather than making them simpler. Unless you already know about most of the "network magic" Docker does by default, in best case you'll waste a lot of time figuring all of that out and in worst-case you'll apparently have it working but actually vulnerable in some subtle way. And at the point where you're running with "--net=host --user=root --privileged", you're not gaining much from containers for these specific use-cases.

Yes, you _can_ do stuff like this with just containers with CNI/custom networking but VMs are typically cleaner and easier unless you're strongly personally motivated to learn about the underpinnings of container networking.

> And docker nginx-proxy to multiplex various self-hosted web apps (either in a home lab or on a VPS).

That's probably fine, and you might be able to do something similar without even touching that part (aside from closing off the public entrypoint when/if you get the tunneling working). You'd set up the WG+routing either on the same box or on a dedicated tunnel/proxy endpoint, as well as on the remote side. You can either add an additional L7 LB (like nginx) at the entrypoint or redirect traffic straight to your existing nginx. The former is probably the safer and easier, but less efficient approach.