Mine just works with Wireguard. I took a couple extra steps to make it convenient:

1. Public DNS entry gives jump box IP. With some http forwarding the Letsencrypt flow initiated from the internal Jellyfin server.

2. My Wireguard server (running on the jump box) runs dnsmasq and answers DNS queries for wireguard clients with the wireguard IP for the Jellyfin server.

3. DNS server on the home network gives those internal clients the local IP.

Works great now; obviously not plug and play but I had fun setting it up.

Tailscale + Jellyfin + Finamp (iOS Jellyfin music client) has been a game-changer when not on my LAN

I have a similar setup, with an internal Jellyfin server on my lan. Every phone in my household has Wireguard that automatically connects if you are not on my wifi (which means pi.hole, nextcloud, access to cameras, and other services are also available).

It works quite well. Each family member has their own 'Library', since we all have very different taste in music, plus an 'All Library' that includes everything. We can also stream movies and tv shows I own and have ripped.

The clients are OK. We are mostly using Finamp for music playback.

I like knowing my music is always available to me, can't be removed, and is always the same version (I don't necessarily want a new remastered version)

I have a caddy proxy in front of jellyfin's web UI with HTTPS and a domain. It's publicly reachable.