diff --git a/control/controlclient/direct.go b/control/controlclient/direct.go
index 250cddf1c..706486cde 100644
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -26,6 +26,7 @@ import (
 
 	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/nacl/box"
+	"golang.org/x/net/proxy"
 	"golang.org/x/oauth2"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/tailcfg"
@@ -134,6 +135,7 @@ func NewDirect(opts Options) (*Direct, error) {
 	httpc := opts.HTTPTestClient
 	if httpc == nil {
 		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.DialContext = proxy.Dial
 		tr.ForceAttemptHTTP2 = true
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Host, tr.TLSClientConfig)
 		httpc = &http.Client{Transport: tr}
diff --git a/logpolicy/logpolicy.go b/logpolicy/logpolicy.go
index 1af689892..864a0705f 100644
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -26,6 +26,7 @@ import (
 
 	"github.com/klauspost/compress/zstd"
 	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/net/proxy"
 	"tailscale.com/atomicfile"
 	"tailscale.com/logtail"
 	"tailscale.com/logtail/filch"
@@ -250,8 +251,15 @@ func newLogtailTransport(host string) *http.Transport {
 			KeepAlive: 30 * time.Second,
 			DualStack: true,
 		}
+		var c net.Conn
+		var err error
 		t0 := time.Now()
-		c, err := nd.DialContext(ctx, netw, addr)
+		if cd, ok := proxy.FromEnvironmentUsing(nd).(proxy.ContextDialer); ok {
+			c, err = cd.DialContext(ctx, netw, addr)
+		} else {
+			fmt.Printf("!!!NOT\n")
+			c, err = nd.DialContext(ctx, netw, addr)
+		}
 		d := time.Since(t0).Round(time.Millisecond)
 		if err != nil {
 			log.Printf("logtail: dial %q failed: %v (in %v)", addr, err, d)
diff --git a/logtail/logtail.go b/logtail/logtail.go
index 33cf78a37..a04116661 100644
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -16,6 +16,7 @@ import (
 	"os"
 	"time"
 
+	"golang.org/x/net/proxy"
 	"tailscale.com/logtail/backoff"
 )
 
@@ -78,7 +79,9 @@ func Log(cfg Config) Logger {
 		cfg.BaseURL = "https://" + DefaultHost
 	}
 	if cfg.HTTPC == nil {
-		cfg.HTTPC = http.DefaultClient
+		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.DialContext = proxy.Dial
+		cfg.HTTPC = &http.Client{Transport: tr}
 	}
 	if cfg.TimeNow == nil {
 		cfg.TimeNow = time.Now
diff --git a/netcheck/netcheck.go b/netcheck/netcheck.go
index bbd1f163b..ed19e6167 100644
--- a/netcheck/netcheck.go
+++ b/netcheck/netcheck.go
@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"github.com/tcnksm/go-httpstat"
+	"golang.org/x/net/proxy"
 	"golang.org/x/sync/errgroup"
 	"tailscale.com/derp/derpmap"
 	"tailscale.com/net/dnscache"
@@ -76,6 +77,8 @@ type Client struct {
 	GetSTUNConn4 func() STUNConn
 	GetSTUNConn6 func() STUNConn
 
+	HTTPC *http.Client
+
 	mu          sync.Mutex            // guards following
 	prev        map[time.Time]*Report // some previous reports
 	last        *Report               // most recent report
@@ -459,6 +462,12 @@ func (c *Client) GetReport(ctx context.Context) (*Report, error) {
 	// Try HTTPS latency check if UDP is blocked and all checkings failed
 	if !anyV4() {
 		c.logf("netcheck: UDP is blocked, try HTTPS")
+		if c.HTTPC == nil {
+			tr := http.DefaultTransport.(*http.Transport).Clone()
+			tr.DialContext = proxy.Dial
+			c.HTTPC = &http.Client{Transport: tr}
+		}
+
 		var wg sync.WaitGroup
 		for _, server := range stuns4 {
 			server := server
@@ -505,7 +514,7 @@ func (c *Client) measureHTTPSLatency(server string) (time.Duration, error) {
 		return 0, err
 	}
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := c.HTTPC.Do(req)
 	if err != nil {
 		return 0, err
 	}