Literally one block away:

Use wireshark and listen on your ethernet interface. When you use tailscale, are the packets coming in/out from the tailscale server IP or the VPN ip? Check through the ip route routing table and figure out which pathway a packet will take in each use case. Might need to add a route exception specifically for the tailscale server IP to go out on the ethernet device.

sacrifice the luxury of convenience and being able to get doordash whenever you want

Not necessary. I live in Manhattan and the street canyons are full of doordasher ebikes, and grocery store isles are jammed with instacarter trailer carts which they then hitch up to more ebikes.

otherwise empty bike lane

Over here in New York, everyone got an e-bike and now we get bike jams in the bike lane during commute hour. Dunno how I should feel about it. Aladeen? :(: Still faster than a car for sure.

PostUp = ip route add 100.64.0.0/10 dev tailscale0

Looks like you need to stick this line in the tailscale service file, since it’s the only time that the existence of the tailscale0 device is guaranteed. If you don’t want to modify the service file inside the package, could you write your own systemd service file and include the tailscale service as a prerequisite?

Also make sure that when you start the VPN first and then tailscale, you don’t get a double tunnel situation where tailscale goes out through the VPN (unless that’s what you wanted).

That allows sending packets inside the VPN tunnel, but the outer envelope packets still need to be able to reach the VPN server.

sudo ufw default deny outgoing

I’m guessing this would block the VPN packets themselves as well.