To use Wireguard, you need to:
- provision a client tunnel for every device, or at least every person who needs to access your network
- have Wireguard downloaded and installed on every device, with the tunnels all imported.
Basically, Wireguard works really well for services that only you use, on your own devices. You set it up once per device, and you have access to every service you host on your network.
For the DuckDNS / reverse proxy route, you need to configure the reverse proxy for every service you want to expose, but don't need to configure anything on the end user's device.
For Jellyfin, since I have users that are not me, it is impractical to expect them to go through all the hoops to get Wireguard running just to watch some movie or tv show. I also don't want to make new Wireguard client tunnels for every single friend that I add to my jellyfin server. This also means I can access jellyfin on devices that aren't my own such as a friend's TV.
For immich, my phone is a bit wonky with keeping Wireguard connected in the background, and I just don't want to worry about if I'm connected to my vpn just so my photos will get backed up.
I just realized that this is the homeassistant community and not something more generic.
Specifically for homeassistant, Wireguard should be fine, unless you plan to do some more advanced stuff like use Alexa without a nabu casa subscription.
The times where you need access to your HA instance without being able to connect to Wireguard should be pretty limited.