diff --git a/Cargo.lock b/Cargo.lock
index e8c3f66771c..ff53543d70c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2758,6 +2758,7 @@ dependencies = [
  "anyhow",
  "axum",
  "backoff",
+ "base64 0.22.1",
  "bytes",
  "clap",
  "criterion",
diff --git a/iroh-net/Cargo.toml b/iroh-net/Cargo.toml
index 70317c0c7bb..cf9e4d17f35 100644
--- a/iroh-net/Cargo.toml
+++ b/iroh-net/Cargo.toml
@@ -88,6 +88,7 @@ tracing-subscriber = { version = "0.3", features = ["env-filter"], optional = tr
 iroh-metrics = { version = "0.16.0", path = "../iroh-metrics", default-features = false }
 strum = { version = "0.26.2", features = ["derive"] }
 pin-project-lite = "0.2.14"
+base64 = "0.22.1"
 
 [target.'cfg(any(target_os = "linux", target_os = "android"))'.dependencies]
 netlink-packet-core = "0.7.0"
diff --git a/iroh-net/src/relay/http/client.rs b/iroh-net/src/relay/http/client.rs
index 55ac35e6898..5c1c3ac722a 100644
--- a/iroh-net/src/relay/http/client.rs
+++ b/iroh-net/src/relay/http/client.rs
@@ -5,6 +5,7 @@ use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;
 use std::time::Duration;
 
+use base64::{engine::general_purpose::URL_SAFE, Engine as _};
 use bytes::Bytes;
 use futures_lite::future::Boxed as BoxFuture;
 use http_body_util::Empty;
@@ -882,12 +883,27 @@ impl Actor {
             url_port(&self.url).ok_or_else(|| ClientError::Proxy("invalid target port".into()))?;
 
         // Establish Proxy Tunnel
-        let req = Request::builder()
+        let mut req_builder = Request::builder()
             .uri(format!("{}:{}", target_host, port))
             .method("CONNECT")
             .header("Host", target_host)
-            .header("Proxy-Connection", "Keep-Alive")
-            .body(Empty::<Bytes>::new())?;
+            .header("Proxy-Connection", "Keep-Alive");
+        if !proxy_url.username().is_empty() {
+            // Passthrough authorization
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization
+            debug!(
+                "setting proxy-authorization: username={}",
+                proxy_url.username()
+            );
+            let to_encode = format!(
+                "{}:{}",
+                proxy_url.username(),
+                proxy_url.password().unwrap_or_default()
+            );
+            let encoded = URL_SAFE.encode(&to_encode);
+            req_builder = req_builder.header("Proxy-Authorization", format!("Basic {}", encoded));
+        }
+        let req = req_builder.body(Empty::<Bytes>::new())?;
 
         debug!("Sending proxy request: {:?}", req);