I don’t have a spare machine to test this, but please do not break Tailscale - I have only been able to make it work inside a jail with
systemd_nspawn_user_args=–capability=CAP_NET_ADMIN
If there is a documented, safe alternative, I can test it after-hours - I have a few servers directly accessible via SSH, breaking Tailscale wouldn’t be a big problem on them.