If you don't open ports, how can it reach your internal services to allow you access to them?

by using a wireguard tunnel and NAT traversal

https://tailscale.com/blog/how-nat-traversal-works

Ah, by using their servers:

> How do we break the deadlock? That’s where STUN comes in. [...] In Tailscale, our coordination server and fleet of DERP (Detour Encrypted Routing Protocol) servers act as our side channel

Yes, NAT traversal is used widely. It is only needed at the start of the connection to get both firewalls to open ports. The encrypted wireguard tunnel is point to point

What I find crazy is that people describe "not self hosting" as a "like magic" solution to self hosting

You can run your own DERP server if you really want to

docker run -d --name derper -p 443:443 -p 3478:3478/udp \ ghcr.io/tailscale/derper:latest