Funnel Not available - not set

I am trying to run

tailscale serve funnel on

on a FreeBSD machine with version 1.34.1. I get:

Funnel not available; "funnel" node attribute not set. See

But I have done this. Here is my policy file end.:

	"nodeAttrs": [
			// Funnel policy, which lets tailnet members control Funnel
			// for their own devices.
			// Learn more at
			"target": ["autogroup:members"],
			"attr":   ["funnel"],

What should I do to get past this issue?

I just went through this. I had to set up a group instead of autogroup.

“groups”: {
“group:can-funnel”: [”,


“nodeAttrs”: [
// Funnel policy, which lets tailnet members control Funnel
// for their own devices.
// Learn more at Tailscale Funnel · Tailscale
“target”: [“group:can-funnel”],
“attr”: [“funnel”],

1 Like

That worked. Thanks!

great! One thing also, at least for internet enabled sites, it took quite a bit longer than the 10 minutes for it to be up for me. Probably closer to 20-30 minutes.

So with these permissions, can you access the address that it gives you from any public IP without being on the tailscale network? I’m not able to and I’m trying to figure out why and it seems like it only allows me to do it when signed in.

Edit: it should work fine. I just was not going to the HTTPs version. Sorry for the confusion.

This fixed it for me too. A small nudge to the docs would really help for this!

@muzicman0 Thank you for helping with this.

I am confused with the functionality of the funnel feature.
If I am not mistaken, it allows you to expose tcp services running on your tailnet nodes to the public Internet.

The problem is that when I finish all the setup process:

  1. Enable certs
  2. Add funnel to policy
  3. Enable funnel on a specific host

I end up with:

➜ tailscale serve status

# Funnel on:
#     - (Funnel on)
|-- / proxy

But resolves to a 100.x ip so that is not going to be available to the public Internet.

What am I missing?

How long did you wait? The last time I enabled Funnels, it took hours to work. I would give it quite a while. Also you should test on something that is not connected to your tailnet.

Thank you.

I gave it maybe a bit less than an hour.
So, what do you see after the dns update? You see a public IPv4 instead a private 100.x on that hostname?

I don’t remember for sure, it turned out that (at least currently), a funnel didn’t have enough bandwidth to handle what I needed to do. But it would have to be something reachable from the public internet.

You may want to look into cloudflare’s tunnels. I have used them and they work quite well.

But I prefer to use Tailscale. This is still beta and I am happy to give feedback to the team so we bring this feature to a first class level.

Thank you @muzicman0.

That is what I am using now. I was looking for an alternative as a backup, just in case.