About that, we actually tried (with support from the network team) to open a small VPN Fron our office for some mobile devices as part of an event installation. Just plain wireguard on a public IP.

After two weeks of back and forth the wireguard packets were still being discarded somewhere by a firewall/router thanks to "deny VPNs by default". Tailscale got through those immediately though by using their relays + one of the workarounds for standard wireguard ports being blocked. Point being, the service provided by a mature solution like Tailscale for punching through networks is surprisingly effective even for corporate-level networks.