Headscale isn't really anywhere near as useful until there's an ios client. Even one you have to compile yourself and use a developer key to load would be better than none at all.
Nebula is great - super simple to set up and get started if you have a VM to use as a lighthouse. Lots of cloud providers free tiers are have enough resources to host a lighthouse as well.
Certificate management is its one weakness at the moment. There are a growing number of projects floating around attempting to solve that though:
As other have suggested, Nebula (https://github.com/slackhq/nebula) is pretty elegant. It has groups-based access built in which is extremely convenient.
You can bolt-on SSO fairly easily - just create a certificate signing service. I created https://github.com/unreality/nebula-mesh-admin in a weekend, so its fairly easy to add a SSO flow in.
1000% this. We started using chargify before Stripe when there were very few options and they were cheap.
They increased pricing and added a bunch of features we dont use, plus our payment processor (DPS now Windcave) refuse to export our customer card data.
So for the past few years we are slowly migrating people away as they update their card details, but its been a frustrating experience.
