@jasiu82 So when you say you run "all traffic on NordVPN from the pf4100", how do you achieve that?
If there is a way for applications and users to bypass your VPN out to the internet, then yes it makes sense that your Tailscale connections go directly to your public IP instead.
You need to have policy routing that routes any and all traffic via your NordVPN tunnel... Then the way it should work is that the Tailscale subnet router finds it's way out via NordVPN as well, and the connection from your phone will then be coming in that way as well, a tunnel within a tunnel.
From a privacy standoint I suppose it really doesn't matter since it's you that initiates a point to point connection to your own network. So the fact that it goes to your IP directly doesn't matter since it is fully encrypted and there is no way for anyone to even know what's going on inside...