we've got a tailscale integration that takes care of the security concerns. set policy to decide what can talk out to the tailscale node and what the tailscale gateway is granted access to. this is especially important when you can't run a tailscale client on the devices you want to connect

https://github.com/spr-networks/spr-tailscale