If your devices are in one network like at home, you have all those things with Wireguard too.

Devices in home LAN all talk to each other, so you have a mesh network.

You need keys for your laptop, phone and remote devices only. Most nodes are in LAN and don’t need to even run VPN.

With plain Wireguard, you open a single port in a single device. With mesh VPNs you open tons of ports: several ports in coordination, STUN and relay servers, also every device runs a vpn server listening to a port.

You VPN to home and use your home DNS. Your enter ACL rules and DNS server in your router.

I use a mesh VPN but I’m thinking of switching back to Wireguard, my older setup.