Honestly, I wouldn’t stick any OOB management thing on any network I couldn’t trust. And it sounds like you have no ability to ensure that someone on the remote side can’t just go and change what your box is plugged into arbitrarily.

With that in mind… I’d probably do Tailscale, bare metal (no virtualization), and set up the machine’s local firewall to drop all incoming connections from the ethernet port. Tailscale would connect out to establish its tunnel and then everything coming in via Tailscale would be fine.

I’ve never heard of warming up wine slightly. I’ve heard of mulling wine, but that takes higher heat…