Okay, to your credit, this did actually work. Though I’d remove step 2, since the module already does that, and step 3’s port has a dedicated option (.openFirewall
in the tailscale module).
I guess the plan now is to set up my network with tailscale and then hopefully drop in headscale later on.
And for those interested, it seems the tailscale folks did actually explain the magic sauce behind their tool (to some degree), e.g. How Network Address Translator (NAT) works | Tailscale.