Comment by aftbit

You can run two nodes both behind restrictive full cone NATs and have them establish an encrypted connection between each other. You can configure your devices to act as exit nodes, allowing other devices on your "tailnet" to use them to reach the internet. You can set up ACLs and share access to specific devices and ports with other users. If you pay a bit more, you can also use any Mullvad VPN node as an exit point.

Tailscale is "just" managed Wireguard, with some very smart network people doing everything they can to make it go point-to-point even with bad NATs, and offering a free fallback trustless relay layer (called DERP) that will act as a transit provider of last resort.