diff --git a/cmd/derper/derper_test.go b/cmd/derper/derper_test.go
index bf3a0ebce..ddd718c2d 100644
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -85,6 +85,11 @@ func TestNoContent(t *testing.T) {
 			input: "input",
 			want:  "response input",
 		},
+		{
+			name:  "valid challenge hostname",
+			input: "ts_derp99b.tailscale.com",
+			want:  "response ts_derp99b.tailscale.com",
+		},
 		{
 			name:  "invalid challenge",
 			input: "foo\x00bar",
diff --git a/net/netcheck/netcheck.go b/net/netcheck/netcheck.go
index 6dff6197c..5b2864991 100644
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -1126,7 +1126,10 @@ func (c *Client) checkCaptivePortal(ctx context.Context, dm *tailcfg.DERPMap, pr
 		return false, err
 	}
 
-	chal := "tailscale " + node.HostName
+	// Note: the set of valid characters in a challenge and the total
+	// length is limited; see isChallengeChar in cmd/derper for more
+	// details.
+	chal := "ts_" + node.HostName
 	req.Header.Set("X-Tailscale-Challenge", chal)
 	r, err := noRedirectClient.Do(req)
 	if err != nil {