diff --git a/api/v1alpha1/tunnel_types.go b/api/v1alpha1/tunnel_types.go
index 0354e12..3a4d323 100644
--- a/api/v1alpha1/tunnel_types.go
+++ b/api/v1alpha1/tunnel_types.go
@@ -113,6 +113,12 @@ type TunnelSpec struct {
 	// Tolerations specifies the tolerations to apply to the cloudflared tunnel deployment
 	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:validation:Enum={"auto","quic","http2"}
+	//+kubebuilder:default:="auto"
+	// Protocol specifies the protocol to use for the tunnel. Defaults to auto. Options are "auto", "quic" and "http2"
+	Protocol string `json:"protocol,omitempty"`
+
 	//+kubebuilder:validation:Optional
 	//+kubebuilder:default:="http_status:404"
 	// FallbackTarget speficies the target for requests that do not match an ingress. Defaults to http_status:404
diff --git a/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml b/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml
index 6a34d00..e98cc3c 100644
--- a/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml
+++ b/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml
@@ -135,6 +135,15 @@ spec:
                   certs as needed to be referred in the service annotation) of the
                   Root CA to be trusted when sending traffic to HTTPS endpoints
                 type: string
+              protocol:
+                default: auto
+                description: Protocol specifies the protocol to use for the tunnel.
+                  Defaults to auto. Options are "auto", "quic" and "http2"
+                enum:
+                - auto
+                - quic
+                - http2
+                type: string
               size:
                 default: 1
                 description: Size defines the number of Daemon pods to run for this
diff --git a/config/crd/bases/networking.cfargotunnel.com_tunnels.yaml b/config/crd/bases/networking.cfargotunnel.com_tunnels.yaml
index 1f81a97..fa4ffbe 100644
--- a/config/crd/bases/networking.cfargotunnel.com_tunnels.yaml
+++ b/config/crd/bases/networking.cfargotunnel.com_tunnels.yaml
@@ -135,6 +135,15 @@ spec:
                   certs as needed to be referred in the service annotation) of the
                   Root CA to be trusted when sending traffic to HTTPS endpoints
                 type: string
+              protocol:
+                default: auto
+                description: Protocol specifies the protocol to use for the tunnel.
+                  Defaults to auto. Options are "auto", "quic" and "http2"
+                enum:
+                - auto
+                - quic
+                - http2
+                type: string
               size:
                 default: 1
                 description: Size defines the number of Daemon pods to run for this
diff --git a/controllers/reconciler.go b/controllers/reconciler.go
index 715c06a..9c648af 100644
--- a/controllers/reconciler.go
+++ b/controllers/reconciler.go
@@ -411,8 +411,9 @@ func deploymentForTunnel(r GenericTunnelReconciler) *appsv1.Deployment {
 	replicas := r.GetTunnel().GetSpec().Size
 	nodeSelector := nodeSelectorsForTunnel(r.GetTunnel())
 	tolerations := r.GetTunnel().GetSpec().Tolerations
+	protocol := r.GetTunnel().GetSpec().Protocol
 
-	args := []string{"tunnel", "--config", "/etc/cloudflared/config/config.yaml", "--metrics", "0.0.0.0:2000", "run"}
+	args := []string{"tunnel", "--protocol", protocol, "--config", "/etc/cloudflared/config/config.yaml", "--metrics", "0.0.0.0:2000", "run"}
 	volumes := []corev1.Volume{{
 		Name: "creds",
 		VolumeSource: corev1.VolumeSource{