- You can get proper security for all your Wi-Fi connected hosts/client devices, for one[1]. Just be sure to set up a Preshared Key for ea. WG Client conf.
- Your internal WG network can be (read: not without addn’l work) treated as a wholly separate network contained/isolated from the rest (a highly encrypted virtual local area network (VLAN) if you will).
- IF your WG Service Provider supports incoming port forwarding you can reach your internal network hosts/clients near anywhere on the Public Internet/clearnet thru an encrypted tunnel (again, addn’l work required). There’s not many that do to my limited knowledge.
You can do the latter as it’s a common enough configuration (caveats apply) but see my above point in Q1 re: WG Service Provider incoming port forwarding. That’d be the preferred option if security is a priority.
Tailscale is an ‘overlay network’ that uses WG-based tech but is not ‘pure’ WG. It is, by default, an either/or setup: tailnet or WG. A ‘tailnet’ is independent of your WG Service Provider but can accomplish similar goals & overcome a restrictive ISP network which one may be using when the ISP in question uses CG-NAT. CG-NAT restricts one’s ability to have incoming connections from the Public Internet to your GL device (the Flint v2 in this case) WG Server’s port 51820… which also invalidates any WG Service Provider’s incoming port forwarding capabilities.
Again & unsurprisingly, setting up a tailnet on a GL device requires addn’l configuration to be done as it is not fully supported ATM (read: beta status but can work as expected[2]).