diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml
index e322fc97d..0a1861dc9 100644
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@@ -10,6 +10,7 @@ web:
   listen: 0.0.0.0:9000
   listen_tls: 0.0.0.0:9443
   load_local_files: false
+  outpost_port_offset: 0
 
 redis:
   host: localhost
diff --git a/internal/config/struct.go b/internal/config/struct.go
index b28bb7df4..cea63ba39 100644
--- a/internal/config/struct.go
+++ b/internal/config/struct.go
@@ -31,6 +31,7 @@ type WebConfig struct {
 	ListenTLS              string `yaml:"listen_tls"`
 	LoadLocalFiles         bool   `yaml:"load_local_files" env:"AUTHENTIK_WEB_LOAD_LOCAL_FILES"`
 	DisableEmbeddedOutpost bool   `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
+	OutpostPortOffset      int    `yaml:"outpost_port_offset"`
 }
 
 type PathsConfig struct {
diff --git a/internal/outpost/proxyv2/proxyv2.go b/internal/outpost/proxyv2/proxyv2.go
index 7be705adc..7469f6c01 100644
--- a/internal/outpost/proxyv2/proxyv2.go
+++ b/internal/outpost/proxyv2/proxyv2.go
@@ -14,6 +14,7 @@ import (
 	"github.com/pires/go-proxyproto"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/crypto"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/application"
@@ -54,7 +55,7 @@ func NewProxyServer(ac *ak.APIController) *ProxyServer {
 	globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil))
 	s := &ProxyServer{
 		Listen:     "0.0.0.0:%d",
-		PortOffset: 0,
+		PortOffset: config.G.Web.OutpostPortOffset,
 
 		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
 		apps:        make(map[string]*application.Application),