I have wireguard for other purposes but I also have ssh open on a different port. I don’t much understand the argument of exchanging ssh for wireguard. In the end, we’re just trading an attack vector for another.
My ssh only allows connections from my user. If I’m using password auth, I also request a 2FA.
Tail scale is also a good idea but I don’t like having my control plane under someone else’s control.