diff --git a/derp/derphttp/derphttp_client.go b/derp/derphttp/derphttp_client.go
index c95d072b1..7387b60b4 100644
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -757,6 +757,9 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 			}
 			dst := cmp.Or(dstPrimary, n.HostName)
 			port := "443"
+			if !c.useHTTPS() {
+				port = "3340"
+			}
 			if n.DERPPort != 0 {
 				port = fmt.Sprint(n.DERPPort)
 			}
diff --git a/prober/derp.go b/prober/derp.go
index b1ebc590d..bce40e34c 100644
--- a/prober/derp.go
+++ b/prober/derp.go
@@ -597,18 +597,22 @@ func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode, isPr
 	if err != nil {
 		return nil, err
 	}
-	cs, ok := dc.TLSConnectionState()
-	if !ok {
-		dc.Close()
-		return nil, errors.New("no TLS state")
-	}
-	if len(cs.PeerCertificates) == 0 {
-		dc.Close()
-		return nil, errors.New("no peer certificates")
-	}
-	if cs.ServerName != n.HostName {
-		dc.Close()
-		return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
+
+	// Only verify TLS state if this is a prober.
+	if isProber {
+		cs, ok := dc.TLSConnectionState()
+		if !ok {
+			dc.Close()
+			return nil, errors.New("no TLS state")
+		}
+		if len(cs.PeerCertificates) == 0 {
+			dc.Close()
+			return nil, errors.New("no peer certificates")
+		}
+		if cs.ServerName != n.HostName {
+			dc.Close()
+			return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
+		}
 	}
 
 	errc := make(chan error, 1)