Solving the "PMTUD Black Hole" Problem
The Cloudflare One Client now implements Dynamic Path MTU Discovery, a technical shift that addresses a longstanding networking frustration: silent packet drops when encryption overhead exceeds network MTU limits. This occurs when modern security protocols like FIPS 140-2 compliant encryption create packets larger than the maximum transmission unit (MTU) of legacy network infrastructure, but firewalls fail to signal this limitation back to the sender.
How It Works
Rather than passively waiting for ICMP "Destination Unreachable" messages that may never arrive, the Cloudflare One Client now performs active, end-to-end path probing using RFC 8899 Datagram Packetization Layer PMTUD. The client sends encrypted packets of varying sizes to the Cloudflare edge, quickly narrowing down the exact MTU capacity of each network segment. The client then dynamically adjusts its virtual interface MTU, with periodic validation to handle network transitions seamlessly.
Real-World Impact
This enhancement addresses critical use cases:
- First responders: Vehicle-mounted routers and complex NAT environments that aggressively shrink available MTU now maintain sticky connections without frequent disconnects during tower handoffs
- Hybrid workforce: Road warriors on legacy networks experience faster adaptation to bottlenecks, with video calls and file transfers no longer stalling due to silent packet drops
- Cellular networks: LTE, 5G, satellite, and public safety networks like FirstNet with sub-1500-byte MTU limits now work seamlessly with modern encryption overhead
Getting Started
Path MTU Discovery is available immediately for all Cloudflare One Client users with the MASQUE protocol enabled, at no additional cost. Administrators can consult the detailed documentation to enable the feature on Windows, macOS, Linux, iOS, and Android devices.