diff --git a/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java b/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java
index decf1b22..a5d859d0 100644
--- a/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java
+++ b/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java
@@ -112,7 +112,7 @@ public class ConnectionDescriptor {
     private boolean blacklisted_host;
     public boolean is_blocked;
     private boolean port_mapping_applied;
-    public boolean decryption_ignored;
+    private boolean decryption_ignored;
     public boolean netd_block_missed;
     private boolean payload_truncated;
     private boolean encrypted_l7;     // application layer is encrypted (e.g. TLS)
@@ -255,10 +255,10 @@ public class ConnectionDescriptor {
             return DecryptionStatus.CLEARTEXT;
         else if(decryption_error != null)
             return DecryptionStatus.ERROR;
-        else if(decryption_ignored)
-            return DecryptionStatus.ENCRYPTED;
         else if(isNotDecryptable())
             return DecryptionStatus.NOT_DECRYPTABLE;
+        else if(decryption_ignored)
+            return DecryptionStatus.ENCRYPTED;
         else if(isDecrypted())
             return DecryptionStatus.DECRYPTED;
         else
diff --git a/app/src/main/jni/core/capture_vpn.c b/app/src/main/jni/core/capture_vpn.c
index e653a228..0e681eaf 100644
--- a/app/src/main/jni/core/capture_vpn.c
+++ b/app/src/main/jni/core/capture_vpn.c
@@ -362,24 +362,23 @@ static bool matches_decryption_whitelist(pcapdroid_t *pd, const zdtun_5tuple_t *
 
 /* ******************************************************* */
 
+// NOTE: this handles both user-specified SOCKS5 and TLS decryption
 static bool should_proxify(pcapdroid_t *pd, const zdtun_5tuple_t *tuple, pd_conn_t *data) {
-    // NOTE: connections must be proxified as soon as the first packet arrives.
-    // In case of TLS decryption, since we cannot reliably determine TLS connections with 1 packet,
-    // we must proxify all the TCP connections.
-    if(!pd->socks5.enabled || (tuple->ipproto != IPPROTO_TCP)) {
-        data->decryption_ignored = true;
+    if(!pd->socks5.enabled)
         return false;
+
+    if (pd->tls_decryption.list) {
+        // TLS decryption
+        if(!matches_decryption_whitelist(pd, tuple, data)) {
+            data->decryption_ignored = true;
+            return false;
+        }
+
+        // Since we cannot reliably determine TLS connections with 1 packet, and connections must be
+        // proxified on the 1st packet, we proxify all the TCP connections
     }
 
-    if(pd->tls_decryption.list) {
-        if(matches_decryption_whitelist(pd, tuple, data))
-            return true;
-
-        data->decryption_ignored = true;
-        return false;
-    }
-
-    return true;
+    return (tuple->ipproto == IPPROTO_TCP);
 }
 
 /* ******************************************************* */