Tailscale simply works, running their install script - the only thing needed is the --capability=CAP_NET_ADMIN argument in the jail config.
Anyway, I did manage to get WireGuard running for now as a docker container inside a jail, following this link: GitHub - linuxserver/docker-wireguard
It takes a couple minutes to accept connections when the jail is restarted, but it is enough for my current needs. I’ll investigate further how to do this without docker, as a side project.