diff --git a/cmd/tailscaled/tailscaled.go b/cmd/tailscaled/tailscaled.go
index 51e5a2c21..924dc8b6d 100644
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -336,13 +336,18 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.
 	var dev tun.Device
 	if isUserspace {
 		dev = tstun.NewFake()
-		conf.Router = router.NewFake(logf)
 	} else {
 		dev, err = tstun.New(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name)
 			return nil, false, err
 		}
+		r, err := router.New(logf, dev)
+		if err != nil {
+			dev.Close()
+			return nil, false, err
+		}
+		conf.Router = r
 	}
 	e, err = wgengine.NewUserspaceEngine(logf, dev, conf)
 	if err != nil {
diff --git a/cmd/tailscaled/tailscaled_windows.go b/cmd/tailscaled/tailscaled_windows.go
index 276594dd5..fef215d74 100644
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -35,6 +35,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
+	"tailscale.com/wgengine/router"
 )
 
 const serviceName = "Tailscale"
@@ -164,10 +165,17 @@ func startIPNServer(ctx context.Context, logid string) error {
 		if err != nil {
 			return nil, err
 		}
+		r, err := router.New(logf, dev)
+		if err != nil {
+			dev.Close()
+			return nil, err
+		}
 		eng, err := wgengine.NewUserspaceEngine(logf, dev, wgengine.Config{
+			Router:     r,
 			ListenPort: 41641,
 		})
 		if err != nil {
+			r.Close()
 			dev.Close()
 			return nil, err
 		}
diff --git a/wgengine/userspace.go b/wgengine/userspace.go
index b9fe43ec8..0bf4db102 100644
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -133,8 +133,8 @@ func (e *userspaceEngine) GetInternals() (*tstun.Wrapper, *magicsock.Conn) {
 
 // Config is the engine configuration.
 type Config struct {
-	// Router is the interface to OS networking APIs used to interface
-	// the OS with the Engine.
+	// Router interfaces the Engine to the OS network stack.
+	// If nil, a fake Router that does nothing is used.
 	Router router.Router
 
 	// LinkMonitor optionally provides an existing link monitor to re-use.
@@ -153,7 +153,6 @@ type Config struct {
 func NewFakeUserspaceEngine(logf logger.Logf, listenPort uint16) (Engine, error) {
 	logf("Starting userspace wireguard engine (with fake TUN device)")
 	return NewUserspaceEngine(logf, tstun.NewFake(), Config{
-		Router:     router.NewFake(logf),
 		ListenPort: listenPort,
 		Fake:       true,
 	})
@@ -165,15 +164,8 @@ func NewUserspaceEngine(logf logger.Logf, dev tun.Device, conf Config) (_ Engine
 	var closePool closeOnErrorPool
 	defer closePool.closeAllIfError(&reterr)
 
-	// TODO: default to a no-op router, require caller to pass in
-	// effectful ones.
 	if conf.Router == nil {
-		r, err := router.New(logf, dev)
-		if err != nil {
-			return nil, err
-		}
-		conf.Router = r
-		closePool.add(r)
+		conf.Router = router.NewFake(logf)
 	}
 
 	tsTUNDev := tstun.Wrap(logf, dev)