diff --git a/wgengine/magicsock/magicsock.go b/wgengine/magicsock/magicsock.go
index 49798eef3..9ca8f6f3d 100644
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -124,6 +124,8 @@ type Options struct {
 	// EndpointsFunc optionally provides a func to be called when
 	// endpoints change. The called func does not own the slice.
 	EndpointsFunc func(endpoint []string)
+
+	derpTLSConfig *tls.Config // normally nil; used by tests
 }
 
 func (o *Options) endpointsFunc() func([]string) {
@@ -173,6 +175,7 @@ func Listen(opts Options) (*Conn, error) {
 		wantDerp:      true,
 		derpRecvCh:    make(chan derpReadResult),
 		udpRecvCh:     make(chan udpReadResult),
+		derpTLSConfig: opts.derpTLSConfig,
 	}
 	c.ignoreSTUNPackets()
 	c.pconn.Reset(packetConn.(*net.UDPConn))
diff --git a/wgengine/magicsock/magicsock_test.go b/wgengine/magicsock/magicsock_test.go
index 4c01400e6..e5fafb4d0 100644
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@@ -308,32 +308,26 @@ func TestTwoDevicePing(t *testing.T) {
 		EndpointsFunc: func(eps []string) {
 			epCh1 <- eps
 		},
+		derpTLSConfig: &tls.Config{InsecureSkipVerify: true},
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer conn1.Close()
 
-	conn1.derpMu.Lock()
-	conn1.derpTLSConfig = &tls.Config{InsecureSkipVerify: true}
-	conn1.derpMu.Unlock()
-
 	epCh2 := make(chan []string, 16)
 	conn2, err := Listen(Options{
 		STUN: []string{stunAddr.String()},
 		EndpointsFunc: func(eps []string) {
 			epCh2 <- eps
 		},
+		derpTLSConfig: &tls.Config{InsecureSkipVerify: true},
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer conn2.Close()
 
-	conn2.derpMu.Lock()
-	conn2.derpTLSConfig = &tls.Config{InsecureSkipVerify: true}
-	conn2.derpMu.Unlock()
-
 	ports := []uint16{conn1.LocalPort(), conn2.LocalPort()}
 	cfgs := makeConfigs(t, ports)