diff --git a/Changes.rst b/Changes.rst
index 69c811d327b..58cb3db980c 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -12,8 +12,13 @@ Deprecated features
     ``--allow-deprecated-insecure-static-crypto`` but will be removed in
     OpenVPN 2.8.
 
-NTLMv1 support has been removed because it is completely insecure.
-    NTLMv2 support is still available, but will removed in a future release.
+NTLMv1 authentication support for HTTP proxies has been removed.
+    This is considered an insecure method of authentication that uses
+    obsolete crypto algorithms.
+    NTLMv2 support is still available, but will be removed in a future
+    release.
+    When configured to authenticate with NTLMv1 (``ntlm`` keyword in
+    ``--http-proxy``) OpenVPN will try NTLMv2 instead.
 
 
 Overview of changes in 2.6
diff --git a/doc/man-sections/proxy-options.rst b/doc/man-sections/proxy-options.rst
index ad49c6048a0..38c45782054 100644
--- a/doc/man-sections/proxy-options.rst
+++ b/doc/man-sections/proxy-options.rst
@@ -48,6 +48,8 @@
      </http-proxy-user-pass>
 
   Note that support for NTLMv1 proxies was removed with OpenVPN 2.7.
+  :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always
+  attempt to use NTLMv2 authentication.
 
 --http-proxy-user-pass userpass
   Overwrite the username/password information for ``--http-proxy``. If specified
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index e0815324aa3..2e8d7a8630b 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -497,7 +497,7 @@ http_proxy_new(const struct http_proxy_options *o)
         msg(M_FATAL, "HTTP_PROXY: server not specified");
     }
 
-    ASSERT( o->port);
+    ASSERT(o->port);
 
     ALLOC_OBJ_CLEAR(p, struct http_proxy_info);
     p->options = *o;
@@ -517,7 +517,8 @@ http_proxy_new(const struct http_proxy_options *o)
 #if NTLM
         else if (!strcmp(o->auth_method_string, "ntlm"))
         {
-            msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now, you can use NTLM v2 by selecting ntlm2 but it is deprecated as well.");
+            msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication.");
+            p->auth_method = HTTP_AUTH_NTLM2;
         }
         else if (!strcmp(o->auth_method_string, "ntlm2"))
         {
@@ -531,7 +532,9 @@ http_proxy_new(const struct http_proxy_options *o)
         }
     }
 
-    /* only basic and NTLM/NTLMv2 authentication supported so far */
+    /* When basic or NTLMv2 authentication is requested, get credentials now.
+     * In case of "auto" negotiation credentials will be retrieved later once
+     * we know whether we need any. */
     if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
     {
         get_user_pass_http(p, true);
@@ -644,7 +647,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
 
     /* get user/pass if not previously given */
     if (p->auth_method == HTTP_AUTH_BASIC
-        || p->auth_method == HTTP_AUTH_DIGEST)
+        || p->auth_method == HTTP_AUTH_DIGEST
+        || p->auth_method == HTTP_AUTH_NTLM2)
     {
         get_user_pass_http(p, false);
     }
@@ -748,7 +752,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
         {
             processed = true;
         }
-        else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */
+        else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for NTLM */
         {
 #if NTLM
             /* look for the phase 2 response */