diff --git a/ipn/local.go b/ipn/local.go
index 3de2b87c7..efea3bc55 100644
--- a/ipn/local.go
+++ b/ipn/local.go
@@ -698,6 +698,7 @@ func (b *LocalBackend) enterState(newState State) {
 	state := b.state
 	prefs := b.prefs
 	notify := b.notify
+	c := b.c
 	b.mu.Unlock()
 
 	if state == newState {
@@ -719,6 +720,9 @@ func (b *LocalBackend) enterState(newState State) {
 		if err != nil {
 			b.logf("Reconfig(down): %v", err)
 		}
+		if c != nil {
+			c.Shutdown()
+		}
 	case Starting, NeedsMachineAuth:
 		b.authReconfig()
 		// Needed so that UpdateEndpoints can run
diff --git a/wgengine/magicsock/magicsock.go b/wgengine/magicsock/magicsock.go
index 3e2216625..6431bdcb9 100644
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -1230,6 +1230,7 @@ func (c *Conn) SetPrivateKey(privateKey wgcfg.PrivateKey) error {
 
 	if oldKey.IsZero() {
 		c.logf("magicsock: SetPrivateKey called (init)")
+		go c.ReSTUN("set-private-key")
 	} else {
 		c.logf("magicsock: SetPrivateKey called (changed")
 	}
@@ -1264,6 +1265,10 @@ func (c *Conn) UpdatePeers(newPeers map[key.Public]struct{}) {
 			delete(c.peerLastDerp, peer)
 		}
 	}
+
+	if len(oldPeers) == 0 && len(newPeers) > 0 {
+		go c.ReSTUN("non-zero-peers")
+	}
 }
 
 // SetDERPEnabled controls whether DERP is used.
@@ -1410,6 +1415,12 @@ func (c *Conn) Close() error {
 	return err
 }
 
+func (c *Conn) haveAnyPeers() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return len(c.peerSet) > 0
+}
+
 func (c *Conn) periodicReSTUN() {
 	prand := rand.New(rand.NewSource(time.Now().UnixNano()))
 	dur := func() time.Duration {
@@ -1423,7 +1434,9 @@ func (c *Conn) periodicReSTUN() {
 		case <-c.donec():
 			return
 		case <-timer.C:
-			c.ReSTUN("periodic")
+			if c.haveAnyPeers() {
+				c.ReSTUN("periodic")
+			}
 			timer.Reset(dur())
 		}
 	}