You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications.

Excuse me what? Here’s my dumb ass navigating to "[device name]:[port] over tailscale.

I’ve tried this a couple times and I’ve always failed. I could never figure out how to get a http://service.domain request to my Nginx install to be proxied in the first place. I tried putting pihole on tailscale and setting that as tailscale’s DNS. It blocked ads but I couldn’t navigate to custom domains. I put NPM on tailscale hoping that was the issue. I looked for LocalDNS/CNAMES in tailscale to see if I could do it that way. Do I have to set a local machine as an exit node and do split DNS shenanigans, service.domain goes through to my local and everything else the wider web? Do I set a router node?!

Not expecting you to troubleshoot, I don’t have time to see it through anyhow. Just annoyed at myself I couldn’t figure it out and driven to try again.