This is my configuration for a headscale setup, complete with UI protected by auth proxy. This is not my current VPN setup (I've just been using Tailscale for it's reliability), but I think it's a cool option for those that want to be completely selfhosted.
More information on this setup and how to configure it can be found here.