Hello selfhosted community, I need help figuring out some things.

So I have a server running multiple services, and everything works perfectly. For remote access, I use tailscale with “Subnet Router” and “Exit Node” features, that basically makes it so that I’m connected to my home network whenever tailscale vpn is running.

Now I want a selfhosted version of this. Since, I’m behind a cgnat connection, I have create a compute instance on Oracle Cloud as that provides a static IP. However, following a the guide I have seen to make wireguard bypass cgnat (https://github.com/mochman/Bypass_CGNAT) , it seems that:
- This system makes it so that everything coming into the vps is passed thorugh to my server.

- The ports for the proxy manager need to be exposed in the vps.

​

Is it not possible to create a setup that will do essentially the same thing, but only works when I have wireguard turned on on the client device? I do not want the vps to be accessible on the internet to everyone