diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go
index c2d604e841..ed997df495 100644
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@@ -229,6 +229,7 @@ func (m *Mapper) fullMapResponse(
 		peers,
 		m.baseDomain,
 		m.dnsCfg,
+		m.randomClientPort,
 	)
 	if err != nil {
 		return nil, err
@@ -329,6 +330,7 @@ func (m *Mapper) PeerChangedResponse(
 		changed,
 		m.baseDomain,
 		m.dnsCfg,
+		m.randomClientPort,
 	)
 	if err != nil {
 		return nil, err
@@ -515,7 +517,7 @@ func (m *Mapper) baseWithConfigMapResponse(
 ) (*tailcfg.MapResponse, error) {
 	resp := m.baseMapResponse()
 
-	tailnode, err := tailNode(node, m.capVer, pol, m.dnsCfg, m.baseDomain)
+	tailnode, err := tailNode(node, m.capVer, pol, m.dnsCfg, m.baseDomain, m.randomClientPort)
 	if err != nil {
 		return nil, err
 	}
@@ -569,6 +571,7 @@ func appendPeerChanges(
 	changed types.Nodes,
 	baseDomain string,
 	dnsCfg *tailcfg.DNSConfig,
+	randomClientPort bool,
 ) error {
 	fullChange := len(peers) == len(changed)
 
@@ -599,7 +602,7 @@ func appendPeerChanges(
 		peers,
 	)
 
-	tailPeers, err := tailNodes(changed, capVer, pol, dnsCfg, baseDomain)
+	tailPeers, err := tailNodes(changed, capVer, pol, dnsCfg, baseDomain, randomClientPort)
 	if err != nil {
 		return err
 	}
diff --git a/hscontrol/mapper/tail.go b/hscontrol/mapper/tail.go
index ad9b7638ab..13958c9c3c 100644
--- a/hscontrol/mapper/tail.go
+++ b/hscontrol/mapper/tail.go
@@ -19,6 +19,7 @@ func tailNodes(
 	pol *policy.ACLPolicy,
 	dnsConfig *tailcfg.DNSConfig,
 	baseDomain string,
+	randomClientPort bool,
 ) ([]*tailcfg.Node, error) {
 	tNodes := make([]*tailcfg.Node, len(nodes))
 
@@ -29,6 +30,7 @@ func tailNodes(
 			pol,
 			dnsConfig,
 			baseDomain,
+			randomClientPort,
 		)
 		if err != nil {
 			return nil, err
@@ -48,6 +50,7 @@ func tailNode(
 	pol *policy.ACLPolicy,
 	dnsConfig *tailcfg.DNSConfig,
 	baseDomain string,
+	randomClientPort bool,
 ) (*tailcfg.Node, error) {
 	nodeKey, err := node.NodePublicKey()
 	if err != nil {
@@ -146,12 +149,20 @@ func tailNode(
 			tailcfg.CapabilityAdmin:       []tailcfg.RawMessage{},
 			tailcfg.CapabilitySSH:         []tailcfg.RawMessage{},
 		}
+
+		if randomClientPort {
+			tNode.CapMap[tailcfg.NodeAttrRandomizeClientPort] = []tailcfg.RawMessage{}
+		}
 	} else {
 		tNode.Capabilities = []tailcfg.NodeCapability{
 			tailcfg.CapabilityFileSharing,
 			tailcfg.CapabilityAdmin,
 			tailcfg.CapabilitySSH,
 		}
+
+		if randomClientPort {
+			tNode.Capabilities = append(tNode.Capabilities, tailcfg.NodeAttrRandomizeClientPort)
+		}
 	}
 
 	//   - 72: 2023-08-23: TS-2023-006 UPnP issue fixed; UPnP can now be used again
diff --git a/hscontrol/mapper/tail_test.go b/hscontrol/mapper/tail_test.go
index d514c4fb87..ced7537125 100644
--- a/hscontrol/mapper/tail_test.go
+++ b/hscontrol/mapper/tail_test.go
@@ -170,6 +170,7 @@ func TestTailNode(t *testing.T) {
 				tt.pol,
 				tt.dnsConfig,
 				tt.baseDomain,
+				false,
 			)
 
 			if (err != nil) != tt.wantErr {