A VPS that proxies traffic over Tailscale is another neat option. I use this approach to serve self-hosted services that I want to be accessible over the internet.
Tailscale is far, far less work to set up and maintain. Not to use a cliche, but it reminds me of Dropbox vs. rsync.
If you know Wireguard well enough to set up your own and you're willing, you'll have a lot more control and less dependency, which is a win IMHO. But if you are limited by time and/or knowledge, Tailscale is great
Aren't we talking about self-hosting, tinkering with your software for fun and hobby instead of going the SaaS way? Arguing about WG instead of TS in this context is perfectly fine
Indeed, if you got the impression from my comment that I didn't think a debate on WG vs. TS was fine, then I apologize. I think it's a great (and important) thing to debate. My opinion is as stated. I think it's a different cost-benefit analysis for each person depending on time and/or knowledge.
Some people want the control without it becoming a full time hobby.
I wanted a NAS. I could do it with Linux and ZFS, rolling my own with full control. However, I didn’t want to sink that much time into it, and figured when something needed to be done, I would have forgotten so much I’d need to relearn over and over again.
Instead I went with a Synology. I get my NAS, I’m in control of my data, I can run some stuff with Docker on it… but I don’t really have to spend any time playing sys admin on my weekends.
Tailscale adds a lot of conveniences on top of Wireguard, though. I don't think most of their value comes from just eliminating the key management stuff from Wireguard setup.
Because they have good PR. Mesh networks are a dime a dozen, some of them have existed for decades and do not even rely on a central server (see tinc for an example).
There are more lightweight projects that rely on native kernel mode wireguard (thus giving fantastic performance) and only simplify key setup, without the need for persistent daemons that have had their own high severity CVEs. If you're asking this question, you might be better served by something like innernet (again, there are tons of alternatives).
There are more alternatives that are fully open and self hostable (including all server components), have support for the native kernel module, while having the same feature set as Tailscale (like netbird, but it's not the only one).
But TS is an HN darling because their devs have a presence here, some of them very well known and highly visible, and the company places lost of advertisements in podcasts and such.
I think you're unlikely to have a very good experience with Tailscale behind CGNAT if you're doing anything high bandwidth like video streaming from a Plex/Jellyfin server.
AFAIK Tailscale only supports 2 modes of connection: direct connect or relayed over WebSockets with their DERP protocol. CGNAT is going to limit you to DERP, which is not designed for transmitting a lot of data. For one thing, that could get rather expensive for Tailscale.
I have a VPS configured for BGP peering, using my own ASN, tunneling an IPv4 block and a couple of IPv6 blocks back to my home network over a wireguard tunnel. These wind up on their own VLANs, exposing a few VMs directly to the Internet.
It took a bit of time to set this up (and I fortunately had the V4 block already registered from back in the 90's.) I also had experience with BGP from previous jobs at early ISPs, which helped. Proxying is easier.
In my case I am just interested in the software I'm running behind the proxy. I use CF tunnels to expose my internal services, and spend my tinkering time on the actual services, rather than (to me) wasting the time to bother with worrying about updating IPs or setting up custom auth schemes (I keep a lot of my services locked down entirely behind github SSO, so you can't even reach my e.g. Jellyfin login page without first being auth'd to github as me, which basically prevents all brute-force attempts on my services).