Tailscale builds a mesh, where the participants can communicated directly, so it's common for all nodes to be behind a FW that does NAT. There is a very interesting blog post from tailscale about all the trickery they pull to reliably deal with NAT: https://tailscale.com/blog/how-nat-traversal-works/