diff --git a/config-example.yaml b/config-example.yaml
index cb7bf4da..8a7d1609 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -87,6 +87,12 @@ derp:
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
 
+    # If non-empty, an admission controller URL for permitting client connections
+    verify_client_url: "http://127.0.0.1:8080/verify"
+
+    # Whether derp fail open if verify_client_url is unreachable
+    verify_client_url_fail_open: false
+
     # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
     # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
     #
diff --git a/hscontrol/derp/server/derp_server.go b/hscontrol/derp/server/derp_server.go
index 0c97806f..479d5ffa 100644
--- a/hscontrol/derp/server/derp_server.go
+++ b/hscontrol/derp/server/derp_server.go
@@ -44,6 +44,10 @@ func NewDERPServer(
 ) (*DERPServer, error) {
 	log.Trace().Caller().Msg("Creating new embedded DERP server")
 	server := derp.NewServer(derpKey, util.TSLogfWrapper()) // nolint // zerolinter complains
+	if cfg.ServerVerifyClientURL != "" {
+		server.SetVerifyClientURL(cfg.ServerVerifyClientURL)
+		server.SetVerifyClientURLFailOpen(cfg.ServerVerifyFailOpen)
+	}
 
 	return &DERPServer{
 		serverURL:     serverURL,
diff --git a/hscontrol/types/config.go b/hscontrol/types/config.go
index f6c5c48a..72d7c07a 100644
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@@ -185,6 +185,8 @@ type DERPConfig struct {
 	ServerRegionCode                   string
 	ServerRegionName                   string
 	ServerPrivateKeyPath               string
+	ServerVerifyClientURL              string
+	ServerVerifyFailOpen               bool
 	STUNAddr                           string
 	URLs                               []url.URL
 	Paths                              []string
@@ -431,6 +433,8 @@ func derpConfig() DERPConfig {
 	serverRegionID := viper.GetInt("derp.server.region_id")
 	serverRegionCode := viper.GetString("derp.server.region_code")
 	serverRegionName := viper.GetString("derp.server.region_name")
+	serverVerifyClientURL := viper.GetString("derp.server.verify_client_url")
+	serverVerifyFailOpen := viper.GetBool("derp.server.verify_client_url_fail_open")
 	stunAddr := viper.GetString("derp.server.stun_listen_addr")
 	privateKeyPath := util.AbsolutePathFromConfigPath(
 		viper.GetString("derp.server.private_key_path"),
@@ -475,6 +479,8 @@ func derpConfig() DERPConfig {
 		ServerRegionID:                     serverRegionID,
 		ServerRegionCode:                   serverRegionCode,
 		ServerRegionName:                   serverRegionName,
+		ServerVerifyClientURL:              serverVerifyClientURL,
+		ServerVerifyFailOpen:               serverVerifyFailOpen,
 		ServerPrivateKeyPath:               privateKeyPath,
 		STUNAddr:                           stunAddr,
 		URLs:                               urls,