diff --git a/cmd/tailscaled/tailscaled.go b/cmd/tailscaled/tailscaled.go
index 96b28ea1d..67233f767 100644
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -382,7 +382,7 @@ func run() error {
 }
 
 func startIPNServer(ctx context.Context, logf logger.Logf, logid string) error {
-	ln, _, err := safesocket.Listen(args.socketpath, safesocket.WindowsLocalPort)
+	ln, err := safesocket.Listen(args.socketpath)
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
 	}
diff --git a/cmd/tsconnect/wasm/wasm_js.go b/cmd/tsconnect/wasm/wasm_js.go
index 3ff9bfff4..9a1020c91 100644
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -301,7 +301,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 	}()
 
 	go func() {
-		ln, _, err := safesocket.Listen("", 0)
+		ln, err := safesocket.Listen("")
 		if err != nil {
 			log.Fatalf("safesocket.Listen: %v", err)
 		}
diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go
index c5db03f83..e541b20a2 100644
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -35,7 +35,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/logtail"
 	"tailscale.com/net/netutil"
-	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
@@ -188,17 +187,10 @@ func validHost(h string) bool {
 		return true
 	}
 	// Allow either localhost or loopback IP hosts.
-	host, portStr, err := net.SplitHostPort(h)
+	host, _, err := net.SplitHostPort(h)
 	if err != nil {
 		return false
 	}
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		return false
-	}
-	if runtime.GOOS == "windows" && port != safesocket.WindowsLocalPort {
-		return false
-	}
 	if host == "localhost" {
 		return true
 	}
diff --git a/safesocket/basic_test.go b/safesocket/basic_test.go
index a70d5a872..d4364e4fc 100644
--- a/safesocket/basic_test.go
+++ b/safesocket/basic_test.go
@@ -21,7 +21,7 @@ func TestBasics(t *testing.T) {
 		sock = fmt.Sprintf(`\\.\pipe\tailscale-test`)
 	}
 
-	l, port, err := Listen(sock, 0)
+	l, err := Listen(sock)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -54,7 +54,6 @@ func TestBasics(t *testing.T) {
 
 	go func() {
 		s := DefaultConnectionStrategy(sock)
-		s.port = port
 		c, err := Connect(s)
 		if err != nil {
 			errs <- err
diff --git a/safesocket/pipe_windows.go b/safesocket/pipe_windows.go
index 2718cfd9e..c5c7b8b09 100644
--- a/safesocket/pipe_windows.go
+++ b/safesocket/pipe_windows.go
@@ -26,7 +26,7 @@ func setFlags(network, address string, c syscall.RawConn) error {
 // It provides read/write access to all users and the local system.
 const windowsSDDL = "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"
 
-func listen(path string, port uint16) (_ net.Listener, gotPort uint16, _ error) {
+func listen(path string) (net.Listener, error) {
 	lc, err := winio.ListenPipe(
 		path,
 		&winio.PipeConfig{
@@ -36,7 +36,7 @@ func listen(path string, port uint16) (_ net.Listener, gotPort uint16, _ error)
 		},
 	)
 	if err != nil {
-		return nil, 0, fmt.Errorf("namedpipe.Listen: %w", err)
+		return nil, fmt.Errorf("namedpipe.Listen: %w", err)
 	}
-	return lc, 0, nil
+	return lc, nil
 }
diff --git a/safesocket/safesocket.go b/safesocket/safesocket.go
index 243c4bfcb..43936f6d5 100644
--- a/safesocket/safesocket.go
+++ b/safesocket/safesocket.go
@@ -12,10 +12,6 @@ import (
 	"time"
 )
 
-// WindowsLocalPort is the default localhost TCP port
-// used by safesocket on Windows.
-const WindowsLocalPort = 41112
-
 type closeable interface {
 	CloseRead() error
 	CloseWrite() error
@@ -95,7 +91,7 @@ type ConnectionStrategy struct {
 // It falls back to auto-discovery across sandbox boundaries on macOS.
 // TODO: maybe take no arguments, since path is irrelevant on Windows? Discussion in PR 3499.
 func DefaultConnectionStrategy(path string) *ConnectionStrategy {
-	return &ConnectionStrategy{path: path, port: WindowsLocalPort}
+	return &ConnectionStrategy{path: path}
 }
 
 // Connect connects to tailscaled using s
@@ -111,10 +107,9 @@ func Connect(s *ConnectionStrategy) (net.Conn, error) {
 }
 
 // Listen returns a listener either on Unix socket path (on Unix), or
-// the localhost port (on Windows).
-// If port is 0, the returned gotPort says which port was selected on Windows.
-func Listen(path string, port uint16) (_ net.Listener, gotPort uint16, _ error) {
-	return listen(path, port)
+// the NamedPipe path (on Windows).
+func Listen(path string) (net.Listener, error) {
+	return listen(path)
 }
 
 var (
diff --git a/safesocket/safesocket_js.go b/safesocket/safesocket_js.go
index 5e0fe8092..d29be95ed 100644
--- a/safesocket/safesocket_js.go
+++ b/safesocket/safesocket_js.go
@@ -11,9 +11,8 @@ import (
 
 const memName = "Tailscale-IPN"
 
-func listen(path string, port uint16) (_ net.Listener, gotPort uint16, _ error) {
-	ln, err := memconn.Listen("memu", memName)
-	return ln, 1, err
+func listen(path string) (net.Listener, error) {
+	return memconn.Listen("memu", memName)
 }
 
 func connect(_ *ConnectionStrategy) (net.Conn, error) {
diff --git a/safesocket/unixsocket.go b/safesocket/unixsocket.go
index c205f4ea8..a91592742 100644
--- a/safesocket/unixsocket.go
+++ b/safesocket/unixsocket.go
@@ -23,7 +23,7 @@ func connect(s *ConnectionStrategy) (net.Conn, error) {
 	return net.Dial("unix", s.path)
 }
 
-func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
+func listen(path string) (net.Listener, error) {
 	// Unix sockets hang around in the filesystem even after nobody
 	// is listening on them. (Which is really unfortunate but long-
 	// entrenched semantics.) Try connecting first; if it works, then
@@ -38,9 +38,9 @@ func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
 	if err == nil {
 		c.Close()
 		if tailscaledRunningUnderLaunchd() {
-			return nil, 0, fmt.Errorf("%v: address already in use; tailscaled already running under launchd (to stop, run: $ sudo launchctl stop com.tailscale.tailscaled)", path)
+			return nil, fmt.Errorf("%v: address already in use; tailscaled already running under launchd (to stop, run: $ sudo launchctl stop com.tailscale.tailscaled)", path)
 		}
-		return nil, 0, fmt.Errorf("%v: address already in use", path)
+		return nil, fmt.Errorf("%v: address already in use", path)
 	}
 	_ = os.Remove(path)
 
@@ -66,10 +66,10 @@ func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
 	}
 	pipe, err := net.Listen("unix", path)
 	if err != nil {
-		return nil, 0, err
+		return nil, err
 	}
 	os.Chmod(path, perm)
-	return pipe, 0, err
+	return pipe, err
 }
 
 func tailscaledRunningUnderLaunchd() bool {