Pangolin handles this nicely. You can define alias addresses for internal resources and keep the fully private and off the public internet. Also based on WireGuard like Tailscale.
Traditional reverse proxies require a public IP and open firewall ports. Pangolin uses a tunneled reverse proxy to expose resources behind restrictive firewalls without those requirements.
A single Pangolin server can tunnel to multiple remote networks, centralizing apps from different locations into one place. It also includes VPN clients and handles NAT traversal as an alternative to traditional VPNs for direct connections.
Hiding an IP and security are not necessarily the main use cases.
The tunneled reverse proxy aspect comes in handy when trying to expose internal apps on a network behind a hard NAT where ports can't be opened and a public IP address isn't available (like CGNAT).
Pangolin is also a VPN like Tailscale/Twingate/etc, so you can access non http resources via a direct connection via WireGuard and NAT traversal.
Pangolin is dual licensed under the AGPLv3 and the Fossorial Commercial License. The community edition includes no commercial license code and is fully AGPL compliant. The enterprise edition is also free to use for personal use.
Pangolin could be a great open source alternative if you prefer to self host the server component. You could even set up WAF with CrowdSec which is awesome
Handles both browser-based reverse proxy access and client-based P2P connections like a VPN.