Learned today that by default a Monero node will only expose the 18081 port to localhost, despite output from nmap and netstat displaying 0.0.0.0, and checking device-level and network-level firewall rules. nmap from other devices even in the same subnet was telling me the port was closed, which was my hint.
Credit to this post for giving me the solution - I knew how to create an SSH tunnel, but I hadn’t figured out that it was only exposing the port to localhost yet. (Bonus - it gave me the -N option for ssh -L which I didn’t already know about.)
This can be solved by creating an SSH tunnel from your end-device containing your wallet file to the Monero node on your local network (or via Tailscale VPN).
# Open a remote connection mapping port 18081 to the same port on your end-device
ssh -N -L 18081:localhost:18081 user@ip
# Open your XMR wallet as normal
monero-wallet-cli --wallet-file ./wallet
EOF