I have a staging environment in GCP as a separate project. Inside the project, I have a test VM where I can deploy components for testing against our internal services. Most of our services are deployed in northamerica-northeast1, but because I am working from the Netherlands, I've put my test VM in europe-west4. We're also using Tailscale to access VM instances in GCP from our local development machines, and so I would like to be able to connect to my test VM in europe-west4 from my dev box over Tailscale.
However, although I've set up the Tailscale gateway to have an approved route to the europe-west4 subnet, I'm unable to reach the test VM from my local machine. I've tried SSHing into the Tailscale gateway and pinging the test VM from there and that also fails, so it looks like Tailscale is probably not at fault here.
I've been digging through the Firewall rules we have for our network, and it seems like this connection should definitely be allowed. We have a default-allow-internal rule that allows ingress traffic from 10.128.0.0/9 to all instances (and we only have explicit Allow rules in our firewall). For good measure I also added an allow-tailnet rule that allows ingress from 100.64.0.0/10, but that doesn't seem to have helped (and, if I understand correctly, the CGNAT IPs should only be used inside the Wireguard IP paths anyway).
I've tried setting up a Connectivity Test from 10.162.0.18 (our Tailscale gateway) to my test VM, which gives me this result: 
Any suggestions for what I might be missing? Would be much appreciated!
