diff --git a/client/internal/engine.go b/client/internal/engine.go
index 66fe6056b..c4c48c20c 100644
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -2318,6 +2318,11 @@ func (e *Engine) SetCapture(pc device.PacketCapture) error {
 	return nil
 }
 
+// GetWgPort returns the port currently configured for Wireguard.
+func (e *Engine) GetWgPort() int {
+	return e.config.WgPort
+}
+
 // setForwarderCapture propagates capture to the USP filter's forwarder endpoint.
 // This captures outbound response packets that bypass the FilteredDevice in netstack mode.
 func (e *Engine) setForwarderCapture(pc device.PacketCapture) {
diff --git a/client/server/server.go b/client/server/server.go
index 397fb37e4..947ed500c 100644
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -1446,6 +1446,7 @@ func (s *Server) runProbes(waitForProbeResult bool) {
 // GetConfig of the daemon.
 func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*proto.GetConfigResponse, error) {
 	s.mutex.Lock()
+	connectClient := s.connectClient
 	defer s.mutex.Unlock()
 
 	if ctx.Err() != nil {
@@ -1522,12 +1523,21 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		sshJWTCacheTTL = int32(*cfg.SSHJWTCacheTTL)
 	}
 
+	wgPort := int64(cfg.WgPort)
+	// Get correct assigned port, could be random if cfg.WgPort is 0.
+	if connectClient != nil && wgPort == 0 {
+		engine := connectClient.Engine()
+		if engine != nil {
+			wgPort = int64(engine.GetWgPort())
+		}
+	}
+
 	return &proto.GetConfigResponse{
 		ManagementUrl:                 managementURL.String(),
 		PreSharedKey:                  preSharedKey,
 		AdminURL:                      adminURL.String(),
 		InterfaceName:                 cfg.WgIface,
-		WireguardPort:                 int64(cfg.WgPort),
+		WireguardPort:                 wgPort,
 		Mtu:                           int64(cfg.MTU),
 		DisableAutoConnect:            cfg.DisableAutoConnect,
 		ServerSSHAllowed:              *cfg.ServerSSHAllowed,