This won’t work, your wan ip isn’t dynamic, it’s on the ISP NAT network and your resulting ip to public services is shared across many customers. CG-NAT.

I don’t know where you work but don’t access your tailnet from a work device and ideally not their network.

Speaking to roku, you could buy a cheap raspberri pi and usb network port. One port to the network the other to roku. The pi can have a tailscale advertised network to the roku, and the roku probably needs nothing since everything is upstream including private tailscale 100.x.y.z networks which will be captured by your device in the middle raspberri pi.

I guess that’d cost like 40 ish dollars one time.

They could be, but I assume say like an apple device won’t install a ccp root authority unconditionally. Huawei and xiamoi probably could be forced, but the browser too, like Chrome, Firefox and safari need to also accept the device certificates as trusted.

But the pressure in Europe would likely be to trade within Europe, you must comply.

It fundamentally destroys the whole trust of PKI if this did go ahead. We just need to hope it does not.

If your browser and device has a state sponsored CA certificate it’s not trivial to bypass. Transparently all certificate traffic could be intercepted by an ISP. Look at Europe already trying. Once someone malicious (to you) is a trusted certificate issuer you no longer can verify either the destination nor the privacy of the content.

Ssl based vpns are also decrypted. And vpns which use public key for identification would no longer be trusted.

https://www.itnews.com.au/news/eu-row-over-certificate-authority-mandates-continues-ahead-of-rule-change-602062

A country for example could enact their mandatory certificate authority that they control. Then have ISPs who are in the middle use what was mandatory a trusted CA to act as the certificate issuer for a proxy. This already exists in enterprise, a router or proxy appliance is a mitm to inspect ssl traffic intercepting connections to a website say Google, but instead terminates that connection on itself, and creates a new connection to Google from itself. Since the Google certificate on the client side would be trusted from the proxy, all data would be decrypted on the proxy. to proxy data back to clients without a browser certificate trust issue, they use that already mandated CA that they control to create new certificates for the sites they’re proxying the proxy reencrypts it back to the client with a trusted certificate and browsers accept them.

It’s actually less than theoretical, it’s literally been proposed in Europe. This method is robust and is already what happens in practice in enterprise organisations on company devices with the organisations CA certificate (installed onto organisation computers by policy or at build time). I’ve deployed and maintained this setup on barracuda firewalls, Fortigate firewalls and now Palo alto firewalls.

https://www.itnews.com.au/news/eu-row-over-certificate-authority-mandates-continues-ahead-of-rule-change-602062