← Back
Cloudflare
Cloudflare One Client proxy mode rebuilt with QUIC; doubles download speeds
Cloudflare · releasefeatureperformanceplatform · blog.cloudflare.com ↗

Architecture Overhaul Leverages QUIC for Direct Layer 4 Proxying

Cloudflare has rebuilt the Cloudflare One Client's proxy mode from the ground up, deprecating WireGuard in favor of QUIC streams for direct Layer 4 (L4) proxying. Previously, the client converted application-layer TCP traffic into WireGuard's Layer 3 packets using smoltcp (a user-space TCP implementation optimized for embedded systems), then reconverted packets at the Cloudflare edge. This approach created a performance bottleneck, especially on media-heavy sites with dozens of concurrent connections.

The new architecture leverages HTTP/3 (RFC 9114) with the CONNECT method to keep traffic at Layer 4, where it belongs. Instead of being broken down into L3 packets, SOCKS5 and HTTP requests are now encapsulated directly into QUIC streams.

Performance Gains and Technical Benefits

Download and upload speeds doubled, and latency decreased significantly in internal testing. The redesign delivers three key advantages:

  • Removes the smoltcp bottleneck by eliminating IP packet handling and limitations of the older TCP implementation
  • Enables native QUIC benefits including modern congestion control and flow control at the transport layer
  • Improves tuning flexibility allowing the client and Cloudflare edge to optimize QUIC parameters for real-world conditions

Use Cases Now Unblocked

The performance improvements specifically benefit three common scenarios:

  1. VPN coexistence scenarios where legacy VPNs are required for on-prem resources or redundancy—users can now layer security without sacrificing experience
  2. High-bandwidth application partitioning allowing browsers to stream HD content or handle large datasets through Cloudflare Gateway while keeping OS traffic local
  3. Developer tools and CLI usage where SOCKS5 listeners benefit from low-latency connections for remote API calls and data transfers

Getting Started

The improvements are available with minimum client version 2025.8.779.0 (Windows, macOS, Linux). To enable:

  1. Update to the latest Cloudflare One Client
  2. In the Cloudflare One dashboard, navigate to Teams & Resources > Devices > Device profiles > General profiles
  3. Set Service mode to Local proxy mode and Device tunnel protocol to MASQUE

Verify activation with: warp-cli settings | grep protocol

Cloudflare offers a free Cloudflare One account for up to 50 users to get started with the improved proxy mode experience.