diff --git a/cmd/omni/main.go b/cmd/omni/main.go
index 3208bfeb..eb902529 100644
--- a/cmd/omni/main.go
+++ b/cmd/omni/main.go
@@ -292,6 +292,7 @@ func init() {
 		config.Config.SiderolinkWireguardAdvertisedAddress,
 		"advertised wireguard address which is passed down to the nodes.")
 	rootCmd.Flags().StringVar(&config.Config.SiderolinkWireguardBindAddress, "siderolink-wireguard-bind-addr", config.Config.SiderolinkWireguardBindAddress, "Siderolink wireguard bind address.")
+	rootCmd.Flags().BoolVar(&config.Config.SiderolinkUseGRPCTunnel, "siderolink-use-grpc-tunnel", false, "use gRPC tunnel to wrap wireguard traffic instead of UDP")
 
 	rootCmd.Flags().StringVar(&config.Config.MachineAPIBindAddress, "siderolink-api-bind-addr", config.Config.MachineAPIBindAddress, "SideroLink provision bind address.")
 	rootCmd.Flags().StringVar(&config.Config.MachineAPICertFile, "siderolink-api-cert", config.Config.MachineAPICertFile, "SideroLink TLS cert file path.")
diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
index 72cb6f1b..7aed6ab7 100644
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -48,6 +48,7 @@ type Params struct {
 	SiderolinkWireguardBindAddress       string `yaml:"siderolinkWireguardBindAddress"`
 	SiderolinkWireguardAdvertisedAddress string `yaml:"siderolinkWireguardAdvertisedAddress"`
 	SiderolinkDisableLastEndpoint        bool   `yaml:"siderolinkDisableLastEndpoint"`
+	SiderolinkUseGRPCTunnel              bool   `yaml:"siderolinkUseGRPCTunnel"`
 
 	EventSinkPort    int                `yaml:"eventSinkPort"`
 	SideroLinkAPIURL string             `yaml:"siderolinkAPIURL"`
diff --git a/internal/pkg/siderolink/manager.go b/internal/pkg/siderolink/manager.go
index df5b4028..3083a96e 100644
--- a/internal/pkg/siderolink/manager.go
+++ b/internal/pkg/siderolink/manager.go
@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"net/url"
 	"os"
 	"strconv"
 	"syscall"
@@ -624,10 +625,21 @@ func (manager *Manager) updateConnectionParams(ctx context.Context, siderolinkCo
 		spec.JoinToken = siderolinkConfig.TypedSpec().Value.JoinToken
 		spec.WireguardEndpoint = siderolinkConfig.TypedSpec().Value.AdvertisedEndpoint
 
-		spec.Args = fmt.Sprintf("%s=%s?jointoken=%s %s=%s %s=tcp://%s",
+		var url *url.URL
+
+		url, err = url.Parse(spec.ApiEndpoint)
+		if err != nil {
+			return err
+		}
+
+		query := url.Query()
+		query.Set("jointoken", siderolinkConfig.TypedSpec().Value.JoinToken)
+		query.Set("grpc_tunnel", fmt.Sprintf("%t", config.Config.SiderolinkUseGRPCTunnel))
+		url.RawQuery = query.Encode()
+
+		spec.Args = fmt.Sprintf("%s=%s %s=%s %s=tcp://%s",
 			talosconstants.KernelParamSideroLink,
-			spec.ApiEndpoint,
-			siderolinkConfig.TypedSpec().Value.JoinToken,
+			url.String(),
 			talosconstants.KernelParamEventsSink,
 			net.JoinHostPort(
 				siderolinkConfig.TypedSpec().Value.ServerAddress,