Get started - it's free!
Log in
© 2025

Invalid packet filter

This topic explains a message that may appear in the Tailscale client and the actions you can take to address it. For a list of currently documented messages in the Tailscale admin console and client, refer to the main Messages topic.

Message displayed in the client

Invalid packet filter

The coordination server sent an invalid packet filter permitting traffic to unlocked nodes; rejecting all packets for safety

Reference ID

invalid-packet-filter

Why you're seeing this message

The coordination server is responsible for device discovery, authentication, key distribution, policy enforcement, and distributing network configurations to all devices in your tailnet.

This message can display when the coordination server has sent a packet filter configuration considered invalid or unsafe by the client.

Here are some reasons why this message might display:

  • There might be issues related to your tailnet policy file such as invalid values including ports, protocol strings, and CIDR details.
  • The same tailnet policy file tag is assigned to both Tailscale Funnel and an existing app connector.
  • The operating system reporting this error might have system-level packet filters enabled that conflict with the Tailscale client packet filtering. These platforms can include BSD variants, macOS with the Packet Filtering (pf) firewall enabled, and Linux using iptables or nftables.

What to do

Here are some things you can try to resolve this issue:

  • Restart your Tailscale client using the client UI, or run the CLI commands tailscale down followed by tailscale up.
  • Check your internet connection.
  • Wait a few minutes and restart the Tailscale client.
  • Verify that your tailnet policy file does not contain invalid rules and that Tailscale Funnel and app connectors are not assigned the same tag.
  • Check your firewall rules.

Additional information

Last updated Aug 1, 2025