That's what Tailscale is for. Sure, it adds another layer that you might not like. But underneath it is all Wireguard and at least most of it (not sure if all of it) is also open-source. In fact, the OP post was written by a Tailscale guy apparently.
Tailscale deals with the things that the IKEv2 part of IKEv2/IPSec handles. It's not a perfect mapping as Tailscale/Wireguard is different that IKEv2/IPSec.
Apart from being a 3rd-party service, which isn't really what I want, it seems to check all of the boxes. The documentation is very thin on the iOS side, but it seems likely that the iOS app can do everything that can be configured in the admin console. That configuration does seem to meet my requirements.
Is there a self-hosted Tailscale-like option?
The only other thing is automatic connection. In my IKEv2/IPSec setup, I've build configuration profiles for the iOS devices so that they'll establish a connection on-demand (triggered by a DNS lookup for my internal domain), but only when they're not on my home Wifi network. It's perfectly seamless since it's all built-in to iOS. The Wireguard app seems to deal with the "connect when not on home Wifi" part, but doesn't do the on-demand side. Wireguard is light enough that this may not actually matter though.
