diff --git a/internal/restrictednet/client.go b/internal/restrictednet/client.go
index 292f3e3d..9e20b939 100644
--- a/internal/restrictednet/client.go
+++ b/internal/restrictednet/client.go
@@ -17,6 +17,7 @@ type Client struct {
 	firewall          Firewall
 	outboundInterface string
 	dohServers        []provider.DoHServer
+	httpsPort         uint16
 }
 
 func New(firewall Firewall, defaultInterface string, ipv6Supported bool,
@@ -27,11 +28,13 @@ func New(firewall Firewall, defaultInterface string, ipv6Supported bool,
 		dohServers[i] = upstreamResolver.DoH
 	}
 
+	const defaultHTTPSPort = 443
 	return &Client{
 		firewall:          firewall,
 		outboundInterface: defaultInterface,
 		ipv6Supported:     ipv6Supported,
 		dohServers:        dohServers,
+		httpsPort:         defaultHTTPSPort,
 	}, nil
 }
 
diff --git a/internal/restrictednet/client_test.go b/internal/restrictednet/client_test.go
index ff10e822..65504f62 100644
--- a/internal/restrictednet/client_test.go
+++ b/internal/restrictednet/client_test.go
@@ -38,11 +38,12 @@ func Test_Client_OpenHTTPS(t *testing.T) {
 	ctx := t.Context()
 
 	netConfig := net.ListenConfig{}
-	listener, err := netConfig.Listen(ctx, "tcp", "127.0.0.1:443")
+	listener, err := netConfig.Listen(ctx, "tcp", "127.0.0.1:0")
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		_ = listener.Close()
 	})
+	listeningPort := uint16(listener.Addr().(*net.TCPAddr).Port) //nolint:gosec,forcetypeassert
 	go func() {
 		connection, acceptErr := listener.Accept()
 		if acceptErr == nil {
@@ -53,7 +54,7 @@ func Test_Client_OpenHTTPS(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	firewall := NewMockFirewall(ctrl)
 
-	destination := netip.MustParseAddrPort("127.0.0.1:443")
+	destination := netip.AddrPortFrom(netip.MustParseAddr("127.0.0.1"), listeningPort)
 	sourceMatcher := listenAddrPortMatcher{}
 	firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
 		ctx, "tcp", "eth0", sourceMatcher, destination, false,
@@ -71,6 +72,7 @@ func Test_Client_OpenHTTPS(t *testing.T) {
 	upstreamResolvers := []provider.Provider{provider.Google()}
 	client, err := New(firewall, "eth0", ipv6Supported, upstreamResolvers)
 	require.NoError(t, err)
+	client.httpsPort = listeningPort
 
 	httpClient, cleanup, err := client.OpenHTTPS(ctx, "api.example.com", netip.MustParseAddr("127.0.0.1"))
 	require.NoError(t, err)
diff --git a/internal/restrictednet/https.go b/internal/restrictednet/https.go
index 9444ab7a..02863455 100644
--- a/internal/restrictednet/https.go
+++ b/internal/restrictednet/https.go
@@ -24,8 +24,7 @@ func (c *Client) OpenHTTPS(ctx context.Context, destinationTLSName string, desti
 		return nil, nil, fmt.Errorf("binding source port: %w", err)
 	}
 
-	const httpsPort = 443
-	destinationAddrPort := netip.AddrPortFrom(destinationIP, httpsPort)
+	destinationAddrPort := netip.AddrPortFrom(destinationIP, c.httpsPort)
 
 	const remove = false
 	err = c.firewall.AcceptOutputFromIPPortToIPPort(ctx, "tcp", c.outboundInterface,