I’ve just moved and I’m setting up my machines. NIC died in my DIY router just before the move so I’m upgrading to 2.5/10 Gbps at the same time.

Thanks. Plain Wireguard is an option I’m considering, but it’s also considerably more hassle to configure and maintain, especially as I connect more family members to my network. Headscale also has an extra layer of security in the form of ACLs, which I plan to use on top of basic firewall configuration. I do connect my personal machines with Wireguard, but I use one family member as a Tailscale/Headscale test subject.

As for SELinux, I’ve gave up on it already. It caused me so much headache over the years I disable it with a kernel parameter by default on all machines.