Doesn’t have to be an apple box either. A raspberry pi is what I’m using. I’m in the exact same situation, living in one country temporarily but citizen of another, and I have an exit point in my home country at my parents place on a raspberry pi. Basically any computer will work.
The advantage of the AppleTV is that it's basic consumer hardware that a lot of people have, that you can provide for them at a reasonably low cost if they don't, and that doesn't really require much in the way of tech skill for the person whose house it's in to keep it up to date. You don't even have to do anything to update versions - tvOS will do it automatically.
I can't find it right now but there was a post announcing the port to tvOS on their blog where a developer from the UK (but living in the US) talked about how it let him buy, configure, and ship a simple consumer box that uses little power and needs minimal hands-on maintenance to his parents' house as a replacement for a server he had been running in their house as a VPN endpoint for this sort of thing - so he could watch BBC, etc.
I wouldn't want to update a RPi that's in someone else's house on the other side of the ocean.
Android TV works great as well. I have it running on an old Chromecast that cost less than $50 new.
While I still prefer running a plain Wireguard VPN if possible (i.e. when there's a publicly reachable UDP port), the really big advantage of Tailscale over other solutions is that it has great NAT traversal, so it's possible to run a routing node behind all kinds of nasty topologies (CG-NAT, double NAT, restrictive firewalls etc.)
I have run into the firewall problems before. Even seen them that block authentication but -if already connected to the tailnet before joining the WiFi in question - will continue to pass data. OpenVPN would not connect and couldn’t handle the IP address switch.
At worst, I turn on phone hotspot, authenticate, then switch back to WiFi. A purely serendipitous discovery on my part, but a very welcome one.
Interesting, maybe they block the orchestration servers of Tailscale, but not the actual data plane (which is almost always P2P, i.e., it usually does not involve Tailscale servers/IPs at all)?
I'm sure they do, but the question is, why did OpenVPN fail? It's pure P2P. I've got a dynamic DNS through afraid.org, and that resolves on that network, so it's not just DNS-level blocking. I effectively have a static IP anyway; there's no CGNAT going on, so I've discovered that I misconfigured my DDNS once or twice only when afraid.org emailed to tell me that I hadn't updated in X months.
Were you using the semi-well-known port (1194)? Otherwise, maybe it's just more fingerprint-able, or whatever DPI the firewall uses hasn't caught up to Wireguard yet?
