diff --git a/cmd/derper/README.md b/cmd/derper/README.md
index 907a2988b..8638db72b 100644
--- a/cmd/derper/README.md
+++ b/cmd/derper/README.md
@@ -30,7 +30,9 @@ If you've decided or been advised to run your own `derper`, then read on.
 * You must build and update the `cmd/derper` binary yourself. There are no
   packages. Use `go install tailscale.com/cmd/derper@latest` with the latest
   version of Go. You should update this binary approximately as regularly as
-  you update Tailscale nodes.
+  you update Tailscale nodes. If using `--verify-clients`, the `derper` binary
+  and `tailscaled` binary on the machine must be built from the same git revision.
+  (It might work otherwise, but they're developed and only tested together.)
 
 * The DERP protocol does a protocol switch inside TLS from HTTP to a custom
   bidirectional binary protocol. It is thus incompatible with many HTTP proxies.
diff --git a/derp/derp_server.go b/derp/derp_server.go
index 005374e0c..c033e42e7 100644
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -1187,6 +1187,10 @@ func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, inf
 			return fmt.Errorf("peer %v not authorized (not found in local tailscaled)", clientKey)
 		}
 		if err != nil {
+			if strings.Contains(err.Error(), "invalid 'addr' parameter") {
+				// Issue 12617
+				return errors.New("tailscaled version is too old (out of sync with derper binary)")
+			}
 			return fmt.Errorf("failed to query local tailscaled status for %v: %w", clientKey, err)
 		}
 	}