diff --git a/api.go b/api.go
index 03f63cb7..45fd7793 100644
--- a/api.go
+++ b/api.go
@@ -279,7 +279,8 @@ func (h *Headscale) getMapResponse(
 		DERPMap:      h.DERPMap,
 		UserProfiles: profiles,
 		Debug: &tailcfg.Debug{
-			DisableLogTail: !h.cfg.LogTail.Enabled,
+			DisableLogTail:      !h.cfg.LogTail.Enabled,
+			RandomizeClientPort: h.cfg.RandomizeClientPort,
 		},
 	}
 
diff --git a/cmd/headscale/headscale_test.go b/cmd/headscale/headscale_test.go
index 9ca4a2c3..8a872e90 100644
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -68,6 +68,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 		fs.FileMode(0o770),
 	)
 	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
+	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
 }
 
 func (*Suite) TestDNSConfigLoading(c *check.C) {
diff --git a/config-example.yaml b/config-example.yaml
index 380db11a..9740f3ad 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -244,3 +244,8 @@ logtail:
   # As there is currently no support for overriding the log server in headscale, this is
   # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
   enabled: false
+
+# Enabling this option makes devices prefer a random port for WireGuard traffic over the
+# default static port 41641. This option is intended as a workaround for some buggy
+# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+randomize_client_port: false
diff --git a/config.go b/config.go
index 909a48c4..fdfa46a6 100644
--- a/config.go
+++ b/config.go
@@ -54,7 +54,8 @@ type Config struct {
 
 	OIDC OIDCConfig
 
-	LogTail LogTailConfig
+	LogTail             LogTailConfig
+	RandomizeClientPort bool
 
 	CLI CLIConfig
 
@@ -153,6 +154,7 @@ func LoadConfig(path string) error {
 	viper.SetDefault("oidc.strip_email_domain", true)
 
 	viper.SetDefault("logtail.enabled", false)
+	viper.SetDefault("randomize_client_port", false)
 
 	if err := viper.ReadInConfig(); err != nil {
 		return fmt.Errorf("fatal error reading config file: %w", err)
@@ -385,6 +387,7 @@ func GetHeadscaleConfig() (*Config, error) {
 	dnsConfig, baseDomain := GetDNSConfig()
 	derpConfig := GetDERPConfig()
 	logConfig := GetLogTailConfig()
+	randomizeClientPort := viper.GetBool("randomize_client_port")
 
 	configuredPrefixes := viper.GetStringSlice("ip_prefixes")
 	parsedPrefixes := make([]netaddr.IPPrefix, 0, len(configuredPrefixes)+1)
@@ -490,7 +493,8 @@ func GetHeadscaleConfig() (*Config, error) {
 			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
 		},
 
-		LogTail: logConfig,
+		LogTail:             logConfig,
+		RandomizeClientPort: randomizeClientPort,
 
 		CLI: CLIConfig{
 			Address:  viper.GetString("cli.address"),