Wireguard is much better. Not only is it easier to set up/maintain, it even works on Android and iOS. I used to use client authentication for my private git server, but getting client certs installed on every client browser or app was a pain in the ass, and not even possible for some mobile browsers.

Today, my entire network of self hosted stuff exists in a personal wireguard VPN. My firewall blocks everything except the wireguard port (even SSH).