Your point about the PI is spot on: a full linux stack means you can get up to "shenanigans" with all sorts of tooling!

A PI with MQTT server and ESP32 as clients is a match made in heaven! For 30 bucks you go from nothing to PI zero, and a hand full (literal) of esp32 devices. Its a fun stack to play with!

Not an exact substitute but mentioning it because people might be interested: esphome added support for wireguard some what recently.

For one device it works well, but when you get a bunch, I find it simpler to use one Pi (actually now a Lenovo m920q, it could be a Pi, I just needed a bit more power for other stuff) with the tunnels and make it talk to all the iot stuff. Has a few advantages: - Updating the more security sensitive parts is a lot easier (only one machine can talk to the internet). - Lets me use ultra-low-power 1-coincell a year stuff. - Integrates everything in a single point so coordinating stuff is very easy (like, single action to close the blinds, turn on projector and set AC a bit cooler).

Tailscale also works excellent on even an original Pi Zero W if you want it on a VPN easily.