I’ve had this happen to me as well on various Ubuntu systems that I use as exit nodes.[1]
I like to allow Ubuntu to patch automatically and even automatically reboot i.e. “[reboot required] unattended-upgrades”. The problem I ran into was that even after the patched host rebooted I would have to use console or out of band access to restart sshd.[2]
The reason is sshd would fail to start is because the address from tailscale wasn’t ready for sshd to bind to – and I’d have to manually restart sshd and then access was restored as expected.
My workaround has been to allow sshd to bind to a nonlocal address in the event that tailscale isn’t established before sshd tries to bind to the tailscale address.[3]
$ grep -v \# /etc/sysctl.d/99-sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.ip_nonlocal_bind = 1
[1] Enable IP forwarding on Linux · Tailscale
[2] see above for /kb/1009/protect-ssh-servers/ (this forum only allows two URLs for new users)
[3] ip_nonlocal_bind | sysctl-explorer.net