If you consider devices behind a NAT to have a public IP than yes it needs a public IP. Really, it needs to just be routable to the internet. Tailscale handles the NAT busting and p2p handshake, while the nodes directly talk to each other (over WireGuard)
