diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6bca556d..b734a65a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 ## Next
 
+### Changes
+
+- Support client verify for DERP
+  [#2046](https://github.com/juanfont/headscale/pull/2046)
+
 ## 0.26.0 (2025-05-14)
 
 ### BREAKING
diff --git a/config-example.yaml b/config-example.yaml
index 2cf43c4e..047fb731 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -85,7 +85,7 @@ derp:
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
 
-    # Verify clients to this DERP server using the Headscale node list
+    # Only allow clients associated with this server access
     verify_clients: true
 
     # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
diff --git a/hscontrol/app.go b/hscontrol/app.go
index 2a15a420..6dddc311 100644
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@@ -227,7 +227,7 @@ func NewHeadscale(cfg *types.Config) (*Headscale, error) {
 		}
 
 		if cfg.DERP.ServerVerifyClients {
-			t := http.DefaultTransport.(*http.Transport)
+			t := http.DefaultTransport.(*http.Transport) //nolint:forcetypeassert
 			t.RegisterProtocol(
 				derpServer.DerpVerifyScheme,
 				derpServer.NewDERPVerifyTransport(app.handleVerifyRequest),
diff --git a/hscontrol/derp/server/derp_server.go b/hscontrol/derp/server/derp_server.go
index 7e45db9c..ae7bf03e 100644
--- a/hscontrol/derp/server/derp_server.go
+++ b/hscontrol/derp/server/derp_server.go
@@ -384,10 +384,7 @@ type DERPVerifyTransport struct {
 func (t *DERPVerifyTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	buf := new(bytes.Buffer)
 	if err := t.handleVerifyRequest(req, buf); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to handle verify request")
+		log.Error().Caller().Err(err).Msg("Failed to handle client verify request: ")
 
 		return nil, err
 	}
diff --git a/integration/derp_verify_endpoint_test.go b/integration/derp_verify_endpoint_test.go
index 749486c9..23879d56 100644
--- a/integration/derp_verify_endpoint_test.go
+++ b/integration/derp_verify_endpoint_test.go
@@ -101,6 +101,8 @@ func DERPVerify(
 	c := derphttp.NewRegionClient(nodeKey, t.Logf, netmon.NewStatic(), func() *tailcfg.DERPRegion {
 		return &region
 	})
+	defer c.Close()
+
 	var result error
 	if err := c.Connect(context.Background()); err != nil {
 		result = fmt.Errorf("client Connect: %w", err)