← Back
Cloudflare
Cloudflare One Client rebuilds proxy mode with QUIC, doubling speeds and reducing latency
Cloudflare · releasefeatureperformanceapi · blog.cloudflare.com ↗

Direct Layer 4 Proxying with QUIC

Cloudflare has completely re-built the proxy mode architecture in the Cloudflare One Client, moving away from WireGuard's Layer 3 approach to leverage QUIC for direct Layer 4 proxying. Previously, the client used smoltcp (a user-space TCP implementation) to convert application-layer TCP traffic into Layer 3 packets for the WireGuard tunnel, then back to Layer 4 at the edge—a process that created significant performance bottlenecks.

The new design uses HTTP/3 (RFC 9114) with the CONNECT method to keep traffic at Layer 4 throughout the entire path. When applications send SOCKS5 or HTTP requests to the client proxy, they are now encapsulated directly into QUIC streams without any Layer 3 conversion. This eliminates three categories of inefficiency:

  • Removal of smoltcp overhead: No more user-space TCP implementation with its limitations on modern TCP features
  • Native QUIC transport benefits: Modern congestion control and flow control are handled directly by the transport layer
  • Tuneability: Both the client and Cloudflare's edge can optimize QUIC parameters for performance

Performance Improvements and Use Cases

Internal testing shows download and upload speeds doubled, with significant latency reduction. This update specifically unlocks three key scenarios:

  1. VPN coexistence: Users combining legacy on-premise VPNs with Cloudflare One security no longer experience performance degradation when layering security through proxy mode.

  2. High-bandwidth application partitioning: Users steering specific browser traffic through Cloudflare Gateway can now stream HD content and handle large datasets without slowdowns.

  3. Developer and power user workflows: SOCKS5 secondary listeners for CLI tools and scripts benefit from low-latency connections to the Cloudflare global network.

Getting Started

The improvements are available immediately in Cloudflare One Client version 2025.8.779.0 and later (Windows, macOS, Linux). To enable:

  1. Log into the Cloudflare One dashboard
  2. Navigate to Teams & Resources > Devices > Device profiles > General profiles
  3. Select or create a profile and ensure Service mode is set to Local proxy mode and Device tunnel protocol is set to MASQUE

Verify your protocol with: warp-cli settings | grep protocol

For new users, Cloudflare One offers a free tier supporting up to 50 users. Visit the documentation for detailed setup guidance.