ERR_TUNNEL_CONNECTION_FAILED is a proxy-specific error. The name describes exactly what happened: Chrome attempted to establish a tunnel connection through a proxy server and the tunnel failed. This error cannot appear when Chrome has no proxy configured, because the tunnel mechanism only activates when Chrome is routing connections through a proxy.
The HTTP CONNECT method is how browsers create tunnels through proxy servers. When Chrome needs to make an HTTPS connection through a proxy, it first sends an HTTP CONNECT request to the proxy asking it to open a TCP connection to the destination host on port 443. If the proxy accepts, it opens the tunnel and Chrome then performs the TLS handshake through it. ERR_TUNNEL_CONNECTION_FAILED fires when that CONNECT request fails: the proxy rejects it, the proxy is unreachable, or the proxy host cannot be resolved by DNS.
This matters because it points directly at the fix: something is wrong with a proxy that Chrome is trying to use. The first question to answer is whether you intended to be using a proxy at all.
Three Scenarios That Produce This Error
| Scenario | Observable Signal | Fix Section |
| Proxy configured but broken or absent | Error appears on all HTTPS sites simultaneously; other devices on same network work fine | Fix 1: Clear proxy settings |
| VPN left residue in proxy settings | Error started after installing or uninstalling a VPN | Fix 2: Clear VPN proxy residue |
| Malware-configured proxy | Error appeared suddenly with no software change; affects all browsers; antivirus scan finds threats | Fix 3: Remove malware and reset network |
| Corporate proxy blocking specific site | Error on one site only; other HTTPS sites work; on corporate network | Fix 4: Corporate network proxy |
| Proxy host DNS resolution failure | Error appears even after disabling proxy; system proxy config points to hostname that does not resolve | Fix 5: Flush DNS and reset network stack |
The fastest first test: open Chrome settings, go to System, click Open your computer’s proxy settings, and check whether a proxy server is configured. If Use a proxy server is turned on and you did not configure it intentionally, that is almost certainly the source of the error. Turning it off resolves the error immediately in the majority of cases.
Fix 1: Disable the Proxy Server in System Settings
Chrome reads proxy configuration from the operating system rather than maintaining its own proxy settings. Disabling the proxy in the OS proxy settings removes it for Chrome.
Windows 10 and 11
- Open Chrome settings by clicking the three-dot menu in the top right, then Settings
- Scroll to the bottom and click System, then click Open your computer’s proxy settings
- Under Manual proxy setup, turn off the Use a proxy server toggle
- Under Automatic proxy setup, turn off the Automatically detect settings toggle if it is on
- Close settings and reload the failing page
Alternatively, press Win+R, type inetcpl.cpl, press Enter, go to the Connections tab, click LAN settings, and uncheck Use a proxy server for your LAN.
macOS
- Open System Settings and click Network
- Select the active network connection (Wi-Fi or Ethernet)
- Click Details, then click Proxies
- Uncheck all proxy types that are enabled (Web Proxy, Secure Web Proxy, SOCKS Proxy)
- Click OK and reload the failing page
Fix 2: Remove Proxy Residue Left by a VPN
VPN clients frequently modify system proxy settings when they connect and sometimes fail to restore those settings when they disconnect or are uninstalled. A VPN that set a proxy address of 127.0.0.1 or localhost on a specific port leaves that setting active after the VPN process terminates, pointing Chrome at a proxy server that is no longer running. Every CONNECT request to that address fails immediately.
To address this:
- Fully disconnect the VPN client using its own interface, not just closing the window
- Open proxy settings using the steps in Fix 1 and confirm Use a proxy server is off
- If a proxy address shows localhost or 127.0.0.1 with a port number, clear the address and turn the toggle off
- If uninstalling the VPN, run the uninstaller, then check proxy settings again afterward because some uninstallers do not clean up proxy configuration
For Chrome VPN or proxy extensions specifically: open chrome://extensions, locate any extension related to VPN, proxy, or privacy, and toggle it off. Extensions that route traffic through a proxy can set Chrome-level proxy overrides that persist even after the extension appears disabled. Remove the extension entirely if toggling it off does not resolve the error.
Well-known VPN clients that commonly leave proxy residue include Cisco AnyConnect, GlobalProtect (Palo Alto), certain consumer VPN clients, and older versions of ExpressVPN and NordVPN. If the error appeared shortly after using or removing one of these, the proxy settings are the first place to check.
Fix 3: Scan for Malware That Configured the Proxy
A significant share of ERR_TUNNEL_CONNECTION_FAILED cases reported by users who had no proxy configured are caused by malware that modified the system proxy settings to redirect traffic through an attacker-controlled server. The proxy entry is often in the Windows Registry under HKEY_CURRENT_USER, Software, Microsoft, Windows, CurrentVersion, Internet Settings, where ProxyEnable is set to 1 and ProxyServer points to an external IP address or hostname.
Signs that malware is the cause: the error appears across all browsers simultaneously (not just Chrome), the proxy address in settings points to an unfamiliar external IP address rather than localhost, or the proxy settings return after being cleared.
- Run a full system scan with Windows Defender by opening Windows Security, Virus and Threat Protection, and clicking Quick scan followed by Full scan
- Run a second-opinion scan with Malwarebytes Free, which specifically detects proxy-hijacking malware that Windows Defender sometimes misses
- After removing threats, return to proxy settings and clear the proxy configuration again, because malware removal does not automatically undo registry changes
- If proxy settings reappear after being cleared, the malware is still active or left a startup process that restores them. Run the scans again before clearing settings.
A proxy address in system settings that points to an external IP you do not recognize is a serious indicator of a compromised machine. Any credentials entered in Chrome while this proxy was active may have been intercepted. Change passwords for email, banking, and any other sensitive accounts from a clean device before using the affected machine for anything important.
Fix 4: Corporate Network Proxy Blocking a Specific Site
If the error appears on one specific site while all other HTTPS sites work, and you are on a corporate network, the corporate proxy is accepting CONNECT requests generally but rejecting the CONNECT request for that particular destination. This is a deliberate access control decision by the network, not a configuration error on your device.
Corporate proxies enforce content filtering policies that block categories of sites (streaming, social media, specific business competitors, file sharing) by rejecting CONNECT requests for their hostnames. When Chrome’s CONNECT request to the destination is rejected, it reports ERR_TUNNEL_CONNECTION_FAILED rather than a more specific error code about blocked content.
There is no client-side fix when a corporate proxy is blocking a destination deliberately. Contact your IT department and request access to the specific URL, providing a business justification. IT can add an exception to the proxy policy for that destination if approved. Attempting to bypass the corporate proxy using a personal VPN or other tunneling mechanism may violate your organization’s acceptable use policy.
Fix 5: Flush DNS Cache and Reset the Network Stack
When the proxy host itself cannot be resolved by DNS, the CONNECT request fails before it even reaches the proxy server. This can happen when DNS cache holds stale records for the proxy hostname, or when the network stack has accumulated state that prevents correct name resolution.
Flush DNS and reset the network stack:
Windows
- Open Command Prompt as Administrator (search for cmd, right-click, Run as administrator)
- Type ipconfig /flushdns and press Enter
- Type netsh int ip reset and press Enter
- Type netsh winsock reset and press Enter
- Restart the computer
macOS
- Open Terminal from Applications, Utilities
- Type sudo dscacheutil -flushcache and press Enter
- Type sudo killall -HUP mDNSResponder and press Enter
- Close Terminal and reload the failing page
After flushing DNS, also clear Chrome’s internal DNS cache by visiting chrome://net-internals/#dns in the Chrome address bar and clicking Clear host cache. Chrome maintains its own DNS cache independently of the OS cache.
Additional Checks If the Error Persists
Reset Chrome flags
Non-default Chrome flags related to networking or proxy handling can occasionally contribute to this error. Navigate to chrome://flags in the Chrome address bar and click Reset all to restore all flags to their default values. Relaunch Chrome when prompted.
Check Chrome extensions
Open chrome://extensions and disable all extensions, then reload the failing page. If the error clears, re-enable extensions one at a time to identify which one is causing it. Proxy, VPN, privacy, and ad-blocking extensions are the most likely causes.
Reset Chrome settings
If all other fixes fail, resetting Chrome to its default settings removes any profile-level proxy configuration or flag that is causing the error. Open Chrome settings, click Reset settings in the left sidebar, and click Restore settings to their original defaults. This does not delete bookmarks or passwords but resets all configuration settings including extensions’ enabled state and pinned tabs.
If You Are a Site Owner: Is This Your Problem to Fix?
ERR_TUNNEL_CONNECTION_FAILED is almost never caused by server-side configuration. The error occurs in the network path between the visitor and the proxy they are using, before the connection ever reaches your server. Your server’s SSL certificate, TLS configuration, and DNS records are not involved.
If multiple visitors report this error specifically for your site while other sites work fine, the most likely explanation is that your site’s hostname or IP address is in a blocklist used by corporate proxy content filters. This is not something you can directly resolve, but you can check whether your domain has been flagged by content categorization services. Services such as Bluecoat Site Review, Symantec Web Filter, and Cisco Talos allow domain owners to submit recategorization requests if their domain was incorrectly classified.
Frequently Asked Questions
What does ERR_TUNNEL_CONNECTION_FAILED mean?
It means Chrome attempted to establish an HTTP CONNECT tunnel through a proxy server and the attempt failed. Chrome uses the CONNECT method to ask proxy servers to open a TCP connection to a destination host on its behalf, which is how HTTPS traffic passes through proxies. The error fires when the proxy rejects the CONNECT request, the proxy server is unreachable, or the proxy hostname cannot be resolved by DNS. This error is specific to proxy-routed connections and cannot appear when no proxy is configured.
Why does this error appear if I am not using a proxy?
Your system may have proxy settings configured without your knowledge. VPN clients that modify proxy settings and fail to restore them, malware that hijacks proxy configuration to redirect traffic, Chrome extensions that set proxy overrides, and enterprise network policy that pushes proxy configuration via group policy can all result in a proxy being active without you having set it manually. Open your OS proxy settings and confirm that Use a proxy server is turned off. If a proxy address appears that you did not configure, that is the source of the error.
The error appears on one site only. Is my site blocked?
Yes, if you are on a corporate network. A proxy that accepts CONNECT requests generally but rejects them for specific destinations is enforcing a content filter policy. The destination hostname or IP address is in the proxy’s blocked list. This is a network policy decision rather than a client-side error. Contact your IT department to request an exception for the specific URL.
I cleared the proxy settings but the error came back. What does that mean?
Proxy settings that restore themselves after being cleared indicate that something is actively writing those settings back. This is either a VPN application that automatically reconfigures the proxy when it runs, a Chrome extension with proxy override permissions that runs at startup, or malware that has a persistent process keeping the proxy active. Check Task Manager for unfamiliar processes, review chrome://extensions for any proxy-related extensions, and run a full malware scan with both Windows Defender and Malwarebytes.
Can flushing DNS fix this error?
Only in the specific scenario where DNS resolution for the proxy server hostname is failing due to stale cache. If the proxy configuration points to a hostname rather than an IP address and that hostname resolves to the wrong address or fails to resolve at all, flushing DNS clears the bad cache entry and allows correct resolution. For the majority of ERR_TUNNEL_CONNECTION_FAILED cases, which are caused by unwanted proxy settings rather than DNS failure, flushing DNS alone does not resolve the error.
Does this error mean my SSL certificate is wrong?
No. This error fires before the TLS handshake ever begins. The SSL certificate is presented during the TLS handshake, which only starts after a TCP connection to the destination is established. ERR_TUNNEL_CONNECTION_FAILED means the proxy failed to open the TCP connection that would allow the TLS handshake to start. The server’s SSL certificate is not involved and not the cause.
