Wireguard is easy to block. Some VPN providers do implement an obfuscation layer for it, but Tailscale uses plain WG, so if WG is blocked, you will get no connection. Control plane would still work, though.
Intriguingly, my work network (both guest and employee networks) blocks OpenVPN, commercial VPN (Proton I use, plus a couple of others I tried just as an experiment), and Tailscale authentication, but if the device is already authenticated to the tailnet, it will continue to work. Turns out that work uses the same ISP my home does, so perhaps that's part of it, but I have another TS exit node running at my in-laws' house (so I can remotely maintain their network, and so I can get out to the Internet via TS even if my home is down), and they're in another state with a different ISP.
I haven't actually tried this when my home service is down, because it's basically never down, but I can easily switch exit nodes when they are both running without hitting the authentication servers again.
It's easy to block the control plane because Tailscale has endpoints listing all current control and DERP servers. On Linux you can use a SOCKS proxy for control plane traffic, if connections still work. Some firewalls are really restrictive.
I can understand the work network policy, someone could use Tailscale to leak data, but a residential ISP should not block it. I would rather bother their support for an incomplete service.
My residential ISP does not block it. My issue with work isn’t that they block it on employee WiFi, it’s that they block it on the guest network too. Our nanny software is rather extreme - blocks, for example, alcohol-related sites. Which in a sense is fine, because I don’t need to read up on whiskey at work, but it also often blocks restaurant sites.
