I also use https with a let's encrypt cert.

PS: just realized tailscale is just a wireguard wrapper client. My setup is not far from (1) then ;)