I am doing a lot of what people here said they are doing with tailscale but I just use plain wireguard. As I understand it tailscale makes various configurations automatic, management easy and provides features like authentication that wireguard does not have. But for a small number of hosts, it's fine to run wireguard itself and manage manually.