diff --git a/net/netcheck/netcheck.go b/net/netcheck/netcheck.go
index 9ce6118482686..0d1c2e2d5a3b4 100644
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -7,6 +7,7 @@ package netcheck
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -207,6 +208,9 @@ type Client struct {
 	// probes.
 	GetDERPHeaders func() http.Header
 
+	// DERPTLSConfig is an optional TLS config for DERP connections.
+	DERPTLSConfig *tls.Config
+
 	// For tests
 	testEnoughRegions      int
 	testCaptivePortalDelay time.Duration
@@ -1301,6 +1305,9 @@ func (c *Client) measureHTTPLatency(ctx context.Context, reg *tailcfg.DERPRegion
 
 	dc := derphttp.NewNetcheckClient(c.logf)
 	dc.Header = derpHeaders
+	if c.DERPTLSConfig != nil {
+		dc.TLSConfig = c.DERPTLSConfig
+	}
 	defer dc.Close()
 
 	var hasForceHTTPNode = false
diff --git a/wgengine/magicsock/derp.go b/wgengine/magicsock/derp.go
index 12787cde14c45..fdea777f6f064 100644
--- a/wgengine/magicsock/derp.go
+++ b/wgengine/magicsock/derp.go
@@ -347,6 +347,9 @@ func (c *Conn) derpWriteChanOfAddr(addr netip.AddrPort, peer key.NodePublic) cha
 	dc.SetAddressFamilySelector(derpAddrFamSelector{c})
 	dc.SetForcedWebsocketCallback(c.derpForcedWebsocketFunc)
 	dc.DNSCache = dnscache.Get()
+	if tlsCfg := c.derpTLSConfig.Load(); tlsCfg != nil {
+		dc.TLSConfig = tlsCfg
+	}
 	header := c.derpHeader.Load()
 	if header != nil {
 		dc.Header = header.Clone()
diff --git a/wgengine/magicsock/magicsock.go b/wgengine/magicsock/magicsock.go
index fc70b8ae6080c..1349add573439 100644
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -8,6 +8,7 @@ package magicsock
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -176,6 +177,9 @@ type Conn struct {
 	// derpRegionDialer is passed to the DERP client
 	derpRegionDialer atomic.Pointer[func(ctx context.Context, region *tailcfg.DERPRegion) net.Conn]
 
+	// derpTLSConfig is an optional TLS config for DERP connections.
+	derpTLSConfig atomic.Pointer[tls.Config]
+
 	// stats maintains per-connection counters.
 	stats atomic.Pointer[connstats.Statistics]
 
@@ -1759,6 +1763,10 @@ func (c *Conn) SetDERPForceWebsockets(v bool) {
 	c.derpForceWebsockets.Store(v)
 }
 
+func (c *Conn) SetDERPTLSConfig(cfg *tls.Config) {
+	c.derpTLSConfig.Store(cfg)
+}
+
 func (c *Conn) SetDERPRegionDialer(dialer func(ctx context.Context, region *tailcfg.DERPRegion) net.Conn) {
 	c.derpRegionDialer.Store(&dialer)
 	c.mu.Lock()