Hello Bitdefender Support Team,
I am reporting a reproducible incompatibility between Bitdefender Firewall on Windows and Tailscale, and I would appreciate guidance on whether this is expected behaviour, a misconfiguration on my side, or a known limitation.
Summary of the issue
When Bitdefender Firewall is enabled, TCP traffic over a Tailscale virtual network adapter consistently fails (timeouts), even though ICMP and UDP traffic work and even though explicit application- and port-based allow rules are configured. Disabling only the Bitdefender Firewall immediately resolves the issue.
Environment
- Windows 11 (64-bit)
- Bitdefender (current consumer version, Firewall enabled)
- Tailscale (latest stable Windows client)
- Remote peer: Linux (Raspberry Pi), confirmed reachable and accepting connections
Observed behaviour
ping <tailscale-ip> works intermittently or initially- UDP traffic (Tailscale peer-to-peer) works
- TCP connections (e.g. SSH on port 22, HTTPS on port 443) time out
Test-NetConnection <tailscale-ip> -Port 22/443 fails with TcpTestSucceeded : False- As soon as Bitdefender Firewall is disabled (all other protections left enabled), TCP connections work immediately
Verification on the remote host
On the Linux peer, I verified that:
- The services are listening on
0.0.0.0 and on the Tailscale IP - Local connections to the Tailscale IP succeed
- Firewall rules on the Linux side explicitly allow traffic on the Tailscale interface
This strongly suggests the traffic is being blocked on the Windows side.
Configuration steps I attempted in Bitdefender
I followed common guidance (including Bitdefender community advice) and tried the following:
1. Firewall application allow rules
- Added
tailscale.exe and tailscaled.exe as Allowed applications - Network type: Any / Private / Trusted
- Protocol: Any
2. Explicit firewall port rules
I added explicit Allow rules (both outbound and, in some cases, both directions) for:
- UDP 41641 (Tailscale peer-to-peer)
- UDP 3478 (STUN/NAT traversal)
- TCP 443 (HTTPS over Tailscale)
- TCP 22 (SSH over Tailscale)
- (Optionally) TCP 139 and 445 for SMB
I am not fully certain whether Bitdefender expects these to be outbound-only or both directions, but I tested both configurations with no change in behaviour.
3. “System” traffic
I also created rules for the built-in System application (rather than only tailscale.exe), as TCP traffic appears to be system-owned.
4. Advanced Threat Defense
- Added an Advanced Threat Defense exception for
tailscaled.exe
5. HTTPS inspection
- Kept Encrypted Web Scan enabled globally
- Added exceptions for:
*.ts.net- the specific Tailscale hostname
- the Tailscale CGNAT range
100.64.0.0/10
6. Network profile
- Confirmed that the Tailscale adapter is marked as Private in Windows
- Confirmed that Bitdefender sees the Tailscale network as Private / Trusted
7. Restarts
- Restarted the Tailscale service
- Restarted Bitdefender Firewall
- Rebooted Windows
None of the above resolved the issue.
Conclusion / question
At this point, the only configuration that works reliably is:
- Bitdefender Firewall disabled
- All other Bitdefender protection layers enabled
- Windows Defender Firewall handling network filtering instead
My questions are:
- Is Bitdefender Firewall known to block TCP traffic on VPN-style virtual adapters (such as Tailscale) at a driver level, regardless of rules?
- Is there a supported way to fully trust or exclude a virtual adapter from Firewall inspection?
- Are there specific rule semantics (direction, “System” vs application, adapter binding) that I may have misunderstood?
I am happy to provide logs or additional diagnostics if useful. My goal is not to bypass security, but to make Bitdefender Firewall work correctly with modern mesh VPNs like Tailscale. Not least because I now have a subscription of Bitdefender until 2027 and am keen to stick it out with Bitdefender.
Thank you very much for your help.
