diff --git a/README.md b/README.md
index 06da167..b4e392f 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,10 @@ BindAddress = 127.0.0.1:25345
 #Username = ...
 # Avoid using spaces in the password field
 #Password = ...
+
+# Specifying certificate and key enables HTTPS
+#CertFile = ...
+#KeyFile = ...
 ```
 
 Alternatively, if you already have a wireguard config, you can import it in the
diff --git a/config.go b/config.go
index b1aba15..811d36b 100644
--- a/config.go
+++ b/config.go
@@ -57,6 +57,8 @@ type HTTPConfig struct {
 	BindAddress string
 	Username    string
 	Password    string
+	CertFile    string
+	KeyFile     string
 }
 
 type Configuration struct {
@@ -431,6 +433,12 @@ func parseHTTPConfig(section *ini.Section) (RoutineSpawner, error) {
 	password, _ := parseString(section, "Password")
 	config.Password = password
 
+	certFile, _ := parseString(section, "CertFile")
+	config.CertFile = certFile
+
+	keyFile, _ := parseString(section, "KeyFile")
+	config.KeyFile = keyFile
+
 	return config, nil
 }
 
diff --git a/http.go b/http.go
index 9fa7932..71e5668 100644
--- a/http.go
+++ b/http.go
@@ -3,6 +3,7 @@ package wireproxy
 import (
 	"bufio"
 	"bytes"
+	"crypto/tls"
 	"encoding/base64"
 	"fmt"
 	"io"
@@ -23,6 +24,7 @@ type HTTPServer struct {
 	dial func(network, address string) (net.Conn, error)
 
 	authRequired bool
+	tlsRequired  bool
 }
 
 func (s *HTTPServer) authenticate(req *http.Request) (int, error) {
@@ -141,9 +143,22 @@ func (s *HTTPServer) serve(conn net.Conn) {
 	}()
 }
 
+func (s *HTTPServer) listen(network, addr string) (net.Listener, error) {
+	if s.tlsRequired {
+		cert, err := tls.LoadX509KeyPair(s.config.CertFile, s.config.KeyFile)
+		if err != nil {
+			return nil, err
+		}
+
+		return tls.Listen(network, addr, &tls.Config{Certificates: []tls.Certificate{cert}})
+	}
+
+	return net.Listen(network, addr)
+}
+
 // ListenAndServe is used to create a listener and serve on it
 func (s *HTTPServer) ListenAndServe(network, addr string) error {
-	server, err := net.Listen(network, addr)
+	server, err := s.listen(network, addr)
 	if err != nil {
 		return fmt.Errorf("listen tcp failed: %w", err)
 	}
diff --git a/routine.go b/routine.go
index 465e6b1..eba9fde 100644
--- a/routine.go
+++ b/routine.go
@@ -173,6 +173,10 @@ func (config *HTTPConfig) SpawnRoutine(vt *VirtualTun) {
 		server.authRequired = true
 	}
 
+	if config.CertFile != "" && config.KeyFile != "" {
+		server.tlsRequired = true
+	}
+
 	if err := server.ListenAndServe("tcp", config.BindAddress); err != nil {
 		log.Fatal(err)
 	}