It's easy to block the control plane because Tailscale has endpoints listing all current control and DERP servers. On Linux you can use a SOCKS proxy for control plane traffic, if connections still work. Some firewalls are really restrictive.
I can understand the work network policy, someone could use Tailscale to leak data, but a residential ISP should not block it. I would rather bother their support for an incomplete service.
My residential ISP does not block it. My issue with work isn’t that they block it on employee WiFi, it’s that they block it on the guest network too. Our nanny software is rather extreme - blocks, for example, alcohol-related sites. Which in a sense is fine, because I don’t need to read up on whiskey at work, but it also often blocks restaurant sites.
I can understand the work network policy, someone could use Tailscale to leak data, but a residential ISP should not block it. I would rather bother their support for an incomplete service.