Kubeadm HA setup behind VPN

I’ve been trying to setup a HA Kubernetes cluster behind a VPN for days.

It works with one master and 2 workers but i fail to add an additional master.
The kubeadm join command for the second master fails with:

I1028 14:43:11.117358   20750 etcd.go:468] Failed to get etcd status for https://PUBLIC-IP:2379: failed to dial endpoint https://PUBLIC-IP:2379 with
 maintenance client: context deadline exceeded

It is supposed to use the private IP here but it should also be able to reach the public-ip.
I noticed that using node-ip is insufficient since etcd chooses to use the public ip automatically. There is a github comment describing this: Adding etcd member failed when join control plane · Issue #2036 · kubernetes/kubeadm · GitHub

As described I tried to run the join in phases and patch etcd but the changes get overwritten and running the etcd phase alone also gives me the following error:

I1028 16:21:57.148920   89410 token.go:215] [discovery] Failed to request cluster-info, will try again: configmaps "cluster-info" is forbidden: User "system:anonymous" cannot get resource "configmaps" in API group "" in the namespace "kube-public"

Any help on this issue is much appreciated!

Cluster information:

Kubernetes version: 1.21.4
Cloud being used: put bare-metal
Installation method: Kubeadm
Host OS: Ubuntu 20.04
CNI and version: weave 1.16
CRI and version: cri-o 1.21.3