Your router maps internal IPs to its public IP, tracking port assignments. Incoming packets without an existing mapping are dropped — this is why two NATted devices can't connect directly without help.
Both devices send UDP packets at the same time to each other's public IP:port. Each router sees an outbound connection and creates a mapping. When the other's packet arrives, the mapping exists — the hole is punched.
When hole punching fails (symmetric NAT), Tailscale falls back to DERP relay servers. Packets are encrypted end-to-end and forwarded through a public server. Slower, but always works.