diff --git a/http3/server.go b/http3/server.go
index 16bffd54b..2dca57805 100644
--- a/http3/server.go
+++ b/http3/server.go
@@ -113,6 +113,7 @@ func (s *Server) serveImpl(tlsConf *tls.Config, conn net.PacketConn) error {
 			if err != nil || conf == nil {
 				return conf, err
 			}
+			conf = conf.Clone()
 			conf.NextProtos = []string{nextProtoH3}
 			return conf, nil
 		}
diff --git a/http3/server_test.go b/http3/server_test.go
index d02f415c5..8ede3e1d6 100644
--- a/http3/server_test.go
+++ b/http3/server_test.go
@@ -544,6 +544,31 @@ var _ = Describe("Server", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(conf.NextProtos).To(Equal([]string{"foo", "bar"}))
 		})
+
+		It("sets the ALPN for tls.Configs returned by the tls.GetConfigForClient, if it returns a static tls.Config", func() {
+			tlsClientConf := &tls.Config{NextProtos: []string{"foo", "bar"}}
+			tlsConf := &tls.Config{
+				GetConfigForClient: func(ch *tls.ClientHelloInfo) (*tls.Config, error) {
+					return tlsClientConf, nil
+				},
+			}
+
+			var receivedConf *tls.Config
+			quicListenAddr = func(addr string, conf *tls.Config, _ *quic.Config) (quic.Listener, error) {
+				receivedConf = conf
+				return nil, errors.New("listen err")
+			}
+			s.TLSConfig = tlsConf
+			Expect(s.ListenAndServe()).To(HaveOccurred())
+			// check that the config used by QUIC uses the h3 ALPN
+			conf, err := receivedConf.GetConfigForClient(&tls.ClientHelloInfo{})
+			Expect(err).ToNot(HaveOccurred())
+			Expect(conf.NextProtos).To(Equal([]string{nextProtoH3}))
+			// check that the original config was not modified
+			conf, err = tlsConf.GetConfigForClient(&tls.ClientHelloInfo{})
+			Expect(err).ToNot(HaveOccurred())
+			Expect(conf.NextProtos).To(Equal([]string{"foo", "bar"}))
+		})
 	})
 
 	It("closes gracefully", func() {