From the article: When you turn on Funnel, we create public DNS records for your node.tailnet.ts.net name that points to a set of ingress servers we operate around the world, and then we give those servers very limited access to your tailnet.
The funnel relays do SNI-based routing to the target machine in your tailnet, and that machine does the TLS termination. We use the initial TLS handshake to route the connection, but after that it's just opaque bytes to us. You can verify this in the client's source code, and use CT logs to see that there are no additional issued TLS certs beyond the one your end-machine created.