Access postgres on VPS securely with Tailscale

I have an Ubuntu 20.04 Focal VPS (Digital Ocean/DO if it matters) which is part of my Tailscale net. Everything is working fine – I can ssh in even though the DO GUI firewall does not have an explicit rule to allow ssh. I do have a GUI firewall rule to publicly allow 443/ssl because the VPS has an https public-facing website. That works fine also.

Now I would like to /securely/ access a Postgres database (port 5432) on this same DO VPS from my Windows home machine (also in my Tailscale net and working fine). I’ll be using a DataGrid client if that matters, which wants a port and a host for a Postgres TCP connection. How do I do this with Tailscale?

I believe I need to, on the VPS, enable ufw and open up port 5432, but ONLY on the tailscale0 interface. (The DO GUI firewall is network-based and I can’t specify an interface for a rule there).
Do I have to specify an alternate proto like udp? Should I specify a port other than 5432, maybe 41641 or 3478?

After making ufw active, I have done this:
ufw allow in on tailscale0 to any port 5432

In my Postgres pg_hba.conf, I do this:
host all all trust
to allow in connections from Tailscale.

EDIT: I have also done this in postgresql.conf and restarted postgres:
listen_addresses = 'localhost,foo'
Where “foo” is the Tailscale machine name.

But the DataGrid client can’t connect and times out when Tailscale is connected and I try to connect to port 5432 on the VPS. I suppose I could use some sort of ssh tunnel from home, but Tailscale precludes the need for that, right?

Can anyone offer assistance? Any help appreciated.