I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.
Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.
It lets me expose services publicly without any inbound port forwarding on my home connection.
It’s not clear to my why you absolutely don’t wan’t to expose your home port.
From a security standpoint, you are still exposing your services to the public anyway (only the TCP stack is not, which is likely the smallest attack surface).
If you had a simpler reverse-proxy VPS, it would still hide your home server IP from clients. Your ISP would still only see encrypted traffic (https). Since you use adguard already, you can target dns-over-https upstreams to hide all DNS traffic too (eventually have a firewall rule to block outgoing dns queries if you don’t trust your application).