Best Practice for VPN users to access 1 LAN resource

What would be the best way to allow an outside business/individual to access one (and only one) LAN resource they need to manage?

A couple of ideas

  • Setup a VPN where firewall rules restrict that user’s IP to the internal LAN IP.
  • Use Tailscale