diff --git a/go.mod b/go.mod
index 56e057fa7a..2befd4ba56 100644
--- a/go.mod
+++ b/go.mod
@@ -33,7 +33,7 @@ replace github.com/dlclark/regexp2 => github.com/dlclark/regexp2 v1.7.0
 
 // There are a few minor changes we make to Tailscale that we're slowly upstreaming. Compare here:
 // https://github.com/tailscale/tailscale/compare/main...coder:tailscale:main
-replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20231205095743-61c97bad8c8b
+replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20240214140224-3788ab894ba1
 
 // Fixes a race-condition in coder/wgtunnel.
 // Upstream PR: https://github.com/WireGuard/wireguard-go/pull/85
diff --git a/go.sum b/go.sum
index 472c4e7b3e..e812540135 100644
--- a/go.sum
+++ b/go.sum
@@ -202,8 +202,8 @@ github.com/coder/retry v1.5.1 h1:iWu8YnD8YqHs3XwqrqsjoBTAVqT9ml6z9ViJ2wlMiqc=
 github.com/coder/retry v1.5.1/go.mod h1:blHMk9vs6LkoRT9ZHyuZo360cufXEhrxqvEzeMtRGoY=
 github.com/coder/ssh v0.0.0-20231128192721-70855dedb788 h1:YoUSJ19E8AtuUFVYBpXuOD6a/zVP3rcxezNsoDseTUw=
 github.com/coder/ssh v0.0.0-20231128192721-70855dedb788/go.mod h1:aGQbuCLyhRLMzZF067xc84Lh7JDs1FKwCmF1Crl9dxQ=
-github.com/coder/tailscale v1.1.1-0.20231205095743-61c97bad8c8b h1:ut/aL6oI8TjGdg4JI8+bKB9w5j73intbe0dJAmcmYyQ=
-github.com/coder/tailscale v1.1.1-0.20231205095743-61c97bad8c8b/go.mod h1:L8tPrwSi31RAMEMV8rjb0vYTGs7rXt8rAHbqY/p41j4=
+github.com/coder/tailscale v1.1.1-0.20240214140224-3788ab894ba1 h1:A7dZHNidAVH6Kxn5D3hTEH+iRO8slnM0aRer6/cxlyE=
+github.com/coder/tailscale v1.1.1-0.20240214140224-3788ab894ba1/go.mod h1:L8tPrwSi31RAMEMV8rjb0vYTGs7rXt8rAHbqY/p41j4=
 github.com/coder/terraform-provider-coder v0.17.0 h1:qwdLSbh6vPN+QDDvw1WNSYYEFlFwJFwzzP9vrvwr/ks=
 github.com/coder/terraform-provider-coder v0.17.0/go.mod h1:pACHRoXSHBGyY696mLeQ1hR/Ag1G2wFk5bw0mT5Zp2g=
 github.com/coder/wgtunnel v0.1.13-0.20231127054351-578bfff9b92a h1:KhR9LUVllMZ+e9lhubZ1HNrtJDgH5YLoTvpKwmrGag4=
diff --git a/tailnet/conn.go b/tailnet/conn.go
index 98b6e71970..11c821d6b6 100644
--- a/tailnet/conn.go
+++ b/tailnet/conn.go
@@ -168,6 +168,7 @@ func NewConn(options *Options) (conn *Conn, err error) {
 
 	magicConn := sys.MagicSock.Get()
 	magicConn.SetDERPForceWebsockets(options.DERPForceWebSockets)
+	magicConn.SetBlockEndpoints(options.BlockEndpoints)
 	if options.DERPHeader != nil {
 		magicConn.SetDERPHeader(options.DERPHeader.Clone())
 	}
@@ -345,6 +346,7 @@ func (c *Conn) SetDERPForceWebSockets(v bool) {
 func (c *Conn) SetBlockEndpoints(blockEndpoints bool) {
 	c.configMaps.setBlockEndpoints(blockEndpoints)
 	c.nodeUpdater.setBlockEndpoints(blockEndpoints)
+	c.magicConn.SetBlockEndpoints(blockEndpoints)
 }
 
 // SetDERPRegionDialer updates the dialer to use for connecting to DERP regions.
diff --git a/tailnet/conn_test.go b/tailnet/conn_test.go
index b904e98fe6..823b7303db 100644
--- a/tailnet/conn_test.go
+++ b/tailnet/conn_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/netip"
 	"testing"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@@ -412,6 +413,63 @@ parentLoop:
 	require.True(t, client2.AwaitReachable(awaitReachableCtx4, ip))
 }
 
+func TestConn_BlockEndpoints(t *testing.T) {
+	t.Parallel()
+	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
+
+	derpMap, _ := tailnettest.RunDERPAndSTUN(t)
+
+	// Setup conn 1.
+	ip1 := tailnet.IP()
+	conn1, err := tailnet.NewConn(&tailnet.Options{
+		Addresses:      []netip.Prefix{netip.PrefixFrom(ip1, 128)},
+		Logger:         logger.Named("w1"),
+		DERPMap:        derpMap,
+		BlockEndpoints: true,
+	})
+	require.NoError(t, err)
+	defer func() {
+		err := conn1.Close()
+		assert.NoError(t, err)
+	}()
+
+	// Setup conn 2.
+	ip2 := tailnet.IP()
+	conn2, err := tailnet.NewConn(&tailnet.Options{
+		Addresses:      []netip.Prefix{netip.PrefixFrom(ip2, 128)},
+		Logger:         logger.Named("w2"),
+		DERPMap:        derpMap,
+		BlockEndpoints: true,
+	})
+	require.NoError(t, err)
+	defer func() {
+		err := conn2.Close()
+		assert.NoError(t, err)
+	}()
+
+	// Connect them together and wait for them to be reachable.
+	stitch(t, conn2, conn1)
+	stitch(t, conn1, conn2)
+	awaitReachableCtx, awaitReachableCancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer awaitReachableCancel()
+	require.True(t, conn1.AwaitReachable(awaitReachableCtx, ip2))
+
+	// Wait 10s for endpoints to potentially be sent over Disco. There's no way
+	// to force Disco to send endpoints immediately.
+	time.Sleep(10 * time.Second)
+
+	// Double check that both peers don't have endpoints for the other peer
+	// according to magicsock.
+	conn1Status, ok := conn1.Status().Peer[conn2.Node().Key]
+	require.True(t, ok)
+	require.Empty(t, conn1Status.Addrs)
+	require.Empty(t, conn1Status.CurAddr)
+	conn2Status, ok := conn2.Status().Peer[conn1.Node().Key]
+	require.True(t, ok)
+	require.Empty(t, conn2Status.Addrs)
+	require.Empty(t, conn2Status.CurAddr)
+}
+
 // stitch sends node updates from src Conn as peer updates to dst Conn.  Sort of
 // like the Coordinator would, but without actually needing a Coordinator.
 func stitch(t *testing.T, dst, src *tailnet.Conn) {