diff --git a/wgengine/tstun/tun.go b/wgengine/tstun/tun.go
index 8cf42017e..e6202e8c5 100644
--- a/wgengine/tstun/tun.go
+++ b/wgengine/tstun/tun.go
@@ -262,3 +262,8 @@ func (t *TUN) InjectOutbound(packet []byte) error {
 		return nil
 	}
 }
+
+// Unwrap returns the underlying TUN device.
+func (t *TUN) Unwrap() tun.Device {
+	return t.tdev
+}
diff --git a/wgengine/userspace.go b/wgengine/userspace.go
index 1e51f2013..e0a4fda34 100644
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -206,7 +206,9 @@ func newUserspaceEngineAdvanced(logf logger.Logf, tundev *tstun.TUN, routerGen R
 		}
 	}()
 
-	e.router, err = routerGen(logf, e.wgdev, e.tundev)
+	// Pass the underlying tun.(*NativeDevice) to the router:
+	// routers do not Read or Write, but do access native interfaces.
+	e.router, err = routerGen(logf, e.wgdev, e.tundev.Unwrap())
 	if err != nil {
 		return nil, err
 	}