As patrakov said above, we don't bind at all with the OS kernel. The packets come in, are Wireguard decrypted (in userspace) and then TCP/IP is also done in userspace (gvisor) before Tailscale SSH takes over, handling the connection (~net.Conn) from gvisor.
Good to know! The wording doesn't really make this clear at all to me honestly; "take over" doesn't really seem like a well-defined term to me, but it sounds pretty "complete" in terms of owning it fully. As mentioned in a sibling comment, the part of the sentence after that reads to me like an explanation of why rather than additional technical details of what's actually being done, but obviously I'm only a sample size of one, so maybe this is more clear to the average reader than it was to me.
