You can also “simply” raw-dog Wireguard. It’s built into the Linux kernel, so you barely have to install anything besides the userspace tools.

Basically, I objected to being reliant on the generosity of a for-profit company. “We do these things not because they are easy, but because we thought they would be easy.”

This is a rough sketch:

• Create a Linux server. It can even be a VM/container if you get the networking right.
• Create a Wireguard interface and pick a private IP address subnet that won’t conflict with your home subnet: https://www.wireguard.com/quickstart/
• Define PostUp and PostDown rules in your Wireguard config that modify iptables to masquerade traffic from the Wireguard subnet
• Also set net.ipv4.ip_forward=1 with sysctl. (There is probably an IPv6 equivalent but I live in the past.)
• Generate keypairs and configs for each device you want to use
• Set up dynamic DNS, e.g. https://freedns.afraid.org/
• Forward UDP port 51820 to your server
• Install the Wireguard app on your client devices. If Linux, you can just write a client config containing the necessary magic words and start it up with wg-quick.

Boom. Tailscale’d.

I’m sure I’ve forgotten some steps. I have some janky automation that’s broken in a new way every time I try to use it.