Whatever works for you, and as long as you have an out, that’s great. I’ve just become wary of single-vendor opensource projects to the point where I basically treat them like proprietary software. So far that’s worked, but it requires some restraint from using new shiny things

See my comment here, https://infosec.pub/comment/21363677

CGNAT and changing IPs make this harder. What I’d consider in this scenario is renting a small vps at a local provider (a tiny/cheap machine is enough). Then use this one as a hop to your network, basically homelab->vps<-client. Here is a post that talks about something like that: https://taggart-tech.com/wireguard/

I haven’t used this method personally, but I’ve done something similar for incoming web traffic before, when you want to host things behind a CGNAT. You can actually keep all the traffic confidential by having just an L4 proxy on the vps, then the http traffic is still end-to-end encrypted between the client and the service, so you don’t even have to trust the vps provider when it comes to them snooping. They still get some metadata, but not significntly more than the ISPs.

There’s nothing I’d like to do more than let the US internet-monopolizing company handle all my vpn traffic /s But without being snarky, for homelabbing purposes just use wireguard directly, it’s fun and not that hard to handle. Automate peer configurations using Ansible or some other automation tool if it gets hard to manage manually.