diff --git a/tailscaleAuth.go b/tailscaleAuth.go
index a60408b..794554a 100644
--- a/tailscaleAuth.go
+++ b/tailscaleAuth.go
@@ -2,6 +2,7 @@ package caddy_tailscale
 
 import (
 	"context"
+	"errors"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp/caddyauth"
 	"net/http"
@@ -45,6 +46,9 @@ func (ta *TailscaleAuth) Authenticate(_ http.ResponseWriter, req *http.Request)
 	defer cancel()
 	whois, err := ta.lc.WhoIs(ctx, req.RemoteAddr)
 	if err != nil {
+		if errors.Is(err, tailscale.ErrPeerNotFound) { // happens when a non-tailnet IP is tested, eg. from the wider internet
+			return caddyauth.User{}, false, nil
+		}
 		return caddyauth.User{}, false, err
 	}