They solve different problems. Tailscale basically allows you to ignore any NAT topologies separating you from your machines. You can have a pseudo local network of your machines behind a VPN, allowing SSH to any machine with zero routing issues. And it’s incredibly seamless. I’m a big fan.

But in this model wouldn't you control the NAT config? You're already running servers, so outside access isn't an issue. I dunno, OP is running that "Cloudflare tunnel" thing for exposed ports so maybe there's something I don't know, or that the internet connection is still some consumer thing that prevents or forbids running servers.

Actually, now that I look closer they aren't running their own email, so maybe this really is primarily a mostly-internal-access project. I do like those SFFs tho!

The difference vs SSH for me (using plain Wireguard but achieving the same thing) is that I can set up my phone with always-on VPN to home and then wherever I am I'm effectively on my home network. I can access all my home-hosted services in my browser, securely access IOT things that can't talk to the open internet, use my home-hosted DNS rather than my mobile provider's, etc. I do use ssh over that connection (with Termux) to talk to servers, ofc.