Is it possible to proxyjump into the tailscale network from outside the network, such as from the local library or university computer? Something like:
ssh -J user@bastion user@tailscale-ip
Or:
ssh -A -t user@bastion ssh -A -t user@tailscale-ip
If your bastion is connected to the tailnet, both work as expected because in both cases the port forward is done on the jump host which has tailnet routes. Port-forwarding would work as well if you were trying to forward a port to a tailnet node instead of SSH. Depending on your circumstances, it may be easier to just use Tailscale SSH and open a shell via the admin web interface.
If your bastion is connected to the tailnet, both work as expected because in both cases the port forward is done on the jump host which has tailnet routes. Port-forwarding would work as well if you were trying to forward a port to a tailnet node instead of SSH. Depending on your circumstances, it may be easier to just use Tailscale SSH and open a shell via the admin web interface.