diff --git a/pkgs/additional/bunpen/config/cli.ha b/pkgs/additional/bunpen/config/cli.ha
index 1beab17b1..d49c7b94c 100644
--- a/pkgs/additional/bunpen/config/cli.ha
+++ b/pkgs/additional/bunpen/config/cli.ha
@@ -24,6 +24,10 @@ export type cli_opts = struct {
   paths: []str,
   run_paths: []str,
   try_keep_users: bool,
+
+  net_dev: (void | str),
+  net_gateway: (void | str),
+  dns: (void | str),
 };
 
 export fn usage() void = {
@@ -60,6 +64,12 @@ export fn usage() void = {
   fmt::println("      allow access to the host <path>, relative to HOME")!;
   fmt::println("  --bunpen-run-path <path>")!;
   fmt::println("      allow access to the host <path>, relative to XDG_RUNTIME_DIR")!;
+  fmt::println("")!;
+  fmt::println("net proxy settings (typical invocation specifies either ALL or NONE of these):")!;
+  fmt::println("  --bunpen-net-dev <iface>")!;
+  fmt::println("  --bunpen-net-gateway <ip-address>")!;
+  fmt::println("  --bunpen-dns <server>")!;
+  fmt::println("")!;
   fmt::println("the following environment variables are also considered and propagated to children:")!;
   fmt::println("  BUNPEN_DEBUG=n")!;
   fmt::println("      equivalent to `--bunpen-debug=n`")!;
@@ -82,9 +92,6 @@ export fn usage() void = {
   // fmt::println("      show what would be `exec`uted but do not perform any action")!;
   // fmt::println("  --bunpen-method <bwrap|capshonly|pastaonly|landlock|none>")!;
   // fmt::println("      use a specific sandboxer")!;
-  // fmt::println("  --bunpen-net-dev <iface>|all")!;
-  // fmt::println("  --bunpen-net-gateway <ip-address>")!;
-  // fmt::println("  --bunpen-dns <server>|host")!;
   // fmt::println("  --bunpen-keep-namespace <all|cgroup|ipc|net|pid|uts>")!;
   // fmt::println("      do not unshare the provided linux namespace")!;
   // fmt::println("  BUNPEN_PREPEND=...")!;
@@ -92,7 +99,7 @@ export fn usage() void = {
 };
 
 export fn parse_args(args: []str) (cli_opts | errors::invalid) = {
-  let parsed = cli_opts { autodetect = void, ... };
+  let parsed = cli_opts { autodetect = void, net_dev = void, net_gateway = void, dns = void, ... };
 
   match (os::getenv("BUNPEN_DISABLE")) {
     case let d: str => parsed.disable = d;
@@ -146,12 +153,15 @@ fn parse_args_into(parsed: *cli_opts, args: []str) (void | errors::invalid) = {
       case "--bunpen-debug=2"         =>  parsed.debug = 2;
       case "--bunpen-debug=3"         =>  parsed.debug = 3;
       case "--bunpen-debug=4"         =>  parsed.debug = 4;
+      case "--bunpen-dns"             =>  idx += 1; parsed.dns = expect_arg("--bunpen-dns", next)?;
       case "--bunpen-drop-shell"      =>  parsed.drop_shell = true;
       case "--bunpen-help"            =>  parsed.help = true;
       case "--bunpen-home-path"       =>  idx += 1; append(parsed.home_paths, expect_arg("--bunpen-home-path", next)?);
       case "--bunpen-keep-ipc"        =>  parsed.keep_ipc = true;
       case "--bunpen-keep-net"        =>  parsed.keep_net = true;
       case "--bunpen-keep-pid"        =>  parsed.keep_pid = true;
+      case "--bunpen-net-dev"         =>  idx += 1; parsed.net_dev = expect_arg("--bunpen-net-dev", next)?;
+      case "--bunpen-net-gateway"     =>  idx += 1; parsed.net_gateway = expect_arg("--bunpen-net-gateway", next)?;
       case "--bunpen-path"            =>  idx += 1; append(parsed.paths, expect_arg("--bunpen-path", next)?);
       case "--bunpen-run-path"        =>  idx += 1; append(parsed.run_paths, expect_arg("--bunpen-run-path", next)?);
       case "--bunpen-try-keep-users"  =>  parsed.try_keep_users = true;