← Back
Cloudflare
Cloudflare One Client doubles proxy mode speeds with QUIC-based architecture
Cloudflare · featureperformancerelease · blog.cloudflare.com ↗

Performance Overhaul for Proxy Mode

Cloudflare has fundamentally redesigned how the Cloudflare One Client handles proxy mode, moving from a Layer 3 (WireGuard-based) architecture to direct Layer 4 proxying via QUIC. The previous approach required converting application-layer TCP traffic into IP packets using smoltcp—a user-space TCP stack optimized for embedded systems—which created a significant performance bottleneck, especially on media-heavy sites with numerous concurrent connections.

Technical Architecture Changes

The new implementation leverages HTTP/3 (RFC 9114) with the CONNECT method to keep traffic at Layer 4 where it belongs. Instead of breaking down SOCKS5 or HTTP requests into Layer 3 packets for the WireGuard tunnel, traffic is now encapsulated directly into QUIC streams. This eliminates the inefficient translation layer and enables the architecture to benefit from:

  • Native QUIC features: Modern congestion control and flow control handled by the transport layer
  • Removed constraints: No longer limited by smoltcp's TCP implementation limitations
  • Tuneability: Both the Client and Cloudflare's edge can optimize QUIC parameters for performance

Performance Impact and Use Cases

Internal testing shows download and upload speeds doubled with significantly decreased latency. This update particularly benefits three scenarios:

  • Coexistence with legacy VPNs: Users requiring both third-party VPN and zero-trust security can now layer services without performance degradation
  • High-bandwidth application partitioning: Users can stream high-definition content or handle large datasets while routing specific traffic through Cloudflare Gateway
  • Developer tools: CLI tools and scripts using SOCKS5 secondary listeners see improved remote API call speeds and data transfer performance

Getting Started

The improvements are available in client version 2025.8.779.0+ for all platforms. To enable the new architecture:

  1. Update to the latest Cloudflare One Client
  2. Navigate to Teams & Resources > Devices > Device profiles > General profiles
  3. Set Service mode to Local proxy mode and Device tunnel protocol to MASQUE

Verify your active protocol with: warp-cli settings | grep protocol

Additional configuration details are available in the Cloudflare documentation.