You also don't need fail2ban, if the entire VM is behind a firewall that only allows the tailscale coordination traffic, nothing is going to reach the VM for fail2ban to work on.