diff --git a/Dockerfile b/Dockerfile
index c6a7a4c..cd81af8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,6 +13,7 @@ RUN mkdir /app/certs
 ENV DERP_HOSTNAME example.com
 ENV DERP_CERTMODE letsencrypt
 ENV DERP_ADDR :443
+ENV DERP_VERIFY_CLIENTS false
 
 COPY --from=builder /go/bin/derper .
 
@@ -23,7 +24,7 @@ VOLUME ["/app/certs"]
 CMD /app/derper --hostname=$DERP_HOSTNAME \
     --a=$DERP_ADDR \
     --certdir=/app/certs \
-    --verify-clients=true \
+    --verify-clients=$DERP_VERIFY_CLIENTS \
     --certmode=$DERP_CERTMODE
 
 # derper --help
diff --git a/README.md b/README.md
index 3090ba9..cfce6d9 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,11 @@
 # Environment Variables
 
-| Name          | Description                                                                          | Default Value |
-| ------------- | ------------------------------------------------------------------------------------ | ------------- |
-| DERP_HOSTNAME | Specifies the domain for the DERP server.                                            | `example.com` |
-| DERP_CERTMODE | Determines the SSL/TLS certificate management mode. Options: `manual`, `letsencrypt` | `letsencrypt` |
-| DERP_ADDR     | Sets the server address and port to bind to.                                         | `:443`        |
+| Name                | Description                                                                                                                                                                  | Default Value |
+| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
+| DERP_HOSTNAME       | Specifies the domain for the DERP server.                                                                                                                                    | `example.com` |
+| DERP_CERTMODE       | Determines the SSL/TLS certificate management mode. Options: `manual`, `letsencrypt`                                                                                         | `letsencrypt` |
+| DERP_ADDR           | Sets the server address and port to bind to.                                                                                                                                 | `:443`        |
+| DERP_VERIFY_CLIENTS | Whether to verify clients connecting to the DERP server. [reference](https://tailscale.com/kb/1118/custom-derp-servers#optional-restricting-client-access-to-your-derp-node) | `false`       |
 
 # Volumes
 
@@ -37,4 +38,4 @@ docker run -d --name derper \
 
 ## Adding DERP servers to your tailnet
 
-reference: https://tailscale.com/kb/1118/custom-derp-servers#step-2-adding-derp-servers-to-your-tailnet
+[reference](https://tailscale.com/kb/1118/custom-derp-servers#step-2-adding-derp-servers-to-your-tailnet)