I dont have much knowledge about tailscale, but i wonder could it be that one of the ip you connect to on their site blocks your endpoint ip?
Especially the timeout thingy makes me wonder if that is true, it could be some type of hop routing to a difference ip which blocks it after a few packets passed within or after handshaking?
With mullvad/wireguard im aware of bigger cdn being the culprit, akamai, but also amazon aws can randomly block such ip without even informing the company peer, also on steam people found a way to make their acc inaccessible by just using a black listed word 
, i noticed when something of that happens the routing also differs if you do a tracert vs block and non block.
If its not that i wonder if MTU is at play, tbh i can’t really help but that comes in my mind.