Tailscale adds a layer of NAT traversal logic on top of regular WireGuard, so in most cases you end up with p2p WireGuard tunnels between your devices, as if the NAT wasn't there. https://tailscale.com/blog/how-nat-traversal-works/ has the gory details, it's less easy than I just made it sound :)