Is it possible to proxyjump into the tailscale network from outside the network, such as from the local library or university computer? Something like:
ssh -J user@bastion user@tailscale-ip
Or:
ssh -A -t user@bastion ssh -A -t user@tailscale-ip
If your bastion is connected to the tailnet, both work as expected because in both cases the port forward is done on the jump host which has tailnet routes. Port-forwarding would work as well if you were trying to forward a port to a tailnet node instead of SSH. Depending on your circumstances, it may be easier to just use Tailscale SSH and open a shell via the admin web interface.