It was for that reason OpenVPN set up in SSL mode over TCP 443 was king, a few years ago most firewalls could not distinguish it from regular TLS encrypted web traffic. These days with application layer "next gen" firewalls though, a zealous network administrator can distinguish between the two and block just the VPN connection if they so choose.

Chinese V2Ray derivatives are indistinguishable from regular traffic and still penetrate the GFW but get detected when used for domestic services, which is not advised. Work best for short lived sessions in restrictive environments.

So connect over cellular or personal hotspot, then connect to WiFi to avoid burning your data. This is definitely becoming more common.

I discovered the workaround purely by accident, when I took my laptop to work (which is unusual, it's a personal device not used for work but I needed to do some work on files that were on it). It was logged into my Tailscale when I last turned it on at the house and I discovered that it reconnected fine as long as it didn't have to do the authentication over the work network.

Are they blocking the global tailscale IP addresses / host names for their DERP relays? Tailscale will tunnel over HTTPS if it can’t establish a UDP relay.

Any Wireguard-based solutions are quickly becoming useless in modern hostile networks due to extreme simplicity of protocol detection. You need at least something like Shadowsocks (at minimum), or more likely XRay or VLESS and build the mesh yourself.