this is along the lines of what i am thinking: wireguard server on linode instance. wireguard client on home node. All traffic is routed to linode instance and public IP of node is the linode wireguard server. if wireguard goes down then only tor traffic is permitted

Yes, I believe this is totally possible and would decrease latency in pathfinding!

Umbrel has a Tailscale app. Install it and "create an account" by linking a GitHub/Google account. You can make a burner account just for authentication with Tailscale.

After this, you have created a VPN with only your umbrel on the network.

You can install Tailscale on a cheap VPS running linux.

You should now have a VPN with two devices (umbrel and server). You can create a subdomain pay.example.com and point it to the server's public IP. Then on the server, create a reverse proxy (using caddy, nginx, apache, etc) that forwards the subdomain traffic to the Umbrel's Tailscale IP. You'll need to proxy through all the ports LND needs. Might also need to modify lnd.conf with the server's IP so LND can announce itself using the public server address. Could also proxy ports for different apps on your umbrel. If you wanted to serve mempool app publicly for example.

With this setup, your node will broadcast only the IP of the server (not your actual node's IP). Tailscale's coordination servers technically know the IP of your node, but all traffic flowing through Tailscale servers is encrypted so they have no way to know that your devices are doing anything related to Bitcoin. You can bypass Tailscale servers by self-hosting a Headscale coordination server, or by setting up wiregaurd tunnels manually.

If I understand correctly, the main issue with any VPN is where is going to run, you need a VPS and this VPS need to be pay without any KYC, email and pay with crypto.

PD: Any recomendation for a VPS without KYC and paid with sats?

You can't get a public IP address with Tailscale, it's a private network. Don't know about wireguard.