diff --git a/examples/masque/client.json b/examples/masque/client.json
index aa2bb853..24def45e 100644
--- a/examples/masque/client.json
+++ b/examples/masque/client.json
@@ -42,6 +42,7 @@
       "congestion_controller": "bbr",
       "cwnd": 0,
       "tls": { // TLS fields for HTTP2
+        "server_name": "", // SNI; empty = default "consumer-masque.cloudflareclient.com"
         "insecure": false,
         "cipher_suites": [],
         "curve_preferences": [],
diff --git a/option/masque.go b/option/masque.go
index a2311ef1..65053d1a 100644
--- a/option/masque.go
+++ b/option/masque.go
@@ -24,6 +24,7 @@ type MASQUEOutboundOptions struct {
 }
 
 type MASQUEOutboundTLSOptions struct {
+	ServerName            string                              `json:"server_name,omitempty"`
 	Insecure              bool                                `json:"insecure,omitempty"`
 	CipherSuites          badoption.Listable[string]          `json:"cipher_suites,omitempty"`
 	CurvePreferences      badoption.Listable[CurvePreference] `json:"curve_preferences,omitempty"`
diff --git a/protocol/masque/outbound.go b/protocol/masque/outbound.go
index 2a11d2f5..e47ffa65 100644
--- a/protocol/masque/outbound.go
+++ b/protocol/masque/outbound.go
@@ -102,7 +102,11 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 			logger.ErrorContext(ctx, E.New("failed to generate cert: ", err))
 			return
 		}
-		tlsConfig, err := tls.NewMASQUEClient(ctx, logger, "consumer-masque.cloudflareclient.com", cert, privKey, peerPubKey, common.PtrValueOrDefault(options.TLS))
+		serverName := cloudflare.ConnectSNI
+		if options.TLS != nil && options.TLS.ServerName != "" {
+			serverName = options.TLS.ServerName
+		}
+		tlsConfig, err := tls.NewMASQUEClient(ctx, logger, serverName, cert, privKey, peerPubKey, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			logger.ErrorContext(ctx, E.New("failed to prepare TLS config: ", err))
 			return