I can’t offer technical network advice on vps headscale; Personally I’m not confident in my network skills. I would be more inclined to go through the pain of manually setting up wireguard instead of having a tailscale or headscale service-- and skipping the middleman so to speak.
Edit: setting up a new system this month, Tumbleweed has moved to SE Linux Enforcing as default. It provided some ssh and samba challenges at first until I learned about setting SEL policies. So maybe hardening with SE Linux would also be smart. For example I could SSH remotely into my machine but due to policies being locked down I could not run user bash, or even see contents of the home folder.
Yeah it definitely is a pain for adding multiple machines.