I use tailscale with Orbstack so that my agents on the vm can use tailscale serve to share dashboards I can view on my phone. Works out nicely.
One thing I noticed though, is that even if I set up the VM as a tagged device with limited access rules, if my host machine (the laptop) is connected as my user (which has less limited permissions), the vm uses my host's user permissions, which isn't really what I want. If I disconnect tailscale on the mac and leave the vm tailscale connected it works as intended though - so that's something to look out for.
Also, if you're using orbstack as an agent sandbox, just be aware that they only recently added an option for true filesystem isolation, the default setup doesn't really sandbox effectively.
It sounds like you have tailscale setup in the container with userspace networking — which works smoothly for incoming traffic, but for outgoing traffic to use the container’s tailscale device it has to be routed through a proxy that tailscaled runs, otherwise it goes over the host’s network.
I haven’t tried with orbstack, but it is possible to setup containers to use tailscale with kernel networking by mounting /dev/net/tun into the container. With that setup outgoing traffic will automatically route to the tailnet as the container’s device (and you don’t need tailscale on the host at all).
One thing I noticed though, is that even if I set up the VM as a tagged device with limited access rules, if my host machine (the laptop) is connected as my user (which has less limited permissions), the vm uses my host's user permissions, which isn't really what I want. If I disconnect tailscale on the mac and leave the vm tailscale connected it works as intended though - so that's something to look out for.
Also, if you're using orbstack as an agent sandbox, just be aware that they only recently added an option for true filesystem isolation, the default setup doesn't really sandbox effectively.