I started out with WireGuard. As you said its a little finicky to get the config to work but after that it was great.
As long as it was just my devices this was fine and simple but as soon as you expand this service to family members or friends (including not-so-technical people) it gets too annoying to manually deal with the configs.
And that’s where Tailscale / Headscale comes in to save the day because now your workload as the admin is reduced to pointing their apps to the right server and having them enter their username and password.
Sorry I don’t have a recommendation for you but this question often comes up in the Home-Assistant (local-first home automation software) community. So maybe have a look around those channels as well.
Getting the configs to work with my personal devices was already a little finicky but doing that for not-so-technical family members was starting to be a bit too much work for me.
I’m hoping that Headscale will cut that down to pointing their app at the server and having them enter their username and password.
Was running Wireguard and am now in the process of changing over to Tailscale (Headscale).
It uses Wireguard for the actual connections but manages all the wireguard configs for you.
Nextcloud is just a web service. How he or anyone can access it is not determined by nextcloud but by the routers, firewalls, vpns and potentially reverse proxies that are routing the traffic to nextcloud.
With the proper configuration of all traffic handling services it will not be possible to access anything other than the intended endpoint i.e. nextcloud.
Within nextcloud any user can only access their own files plus anything that is explicitly shared to them.
Why not set up backups for the Proxmox VM and be done with it?
Also makes it easy to add offsite backups via the Proxmox Backup Server in the future.