masque recently added to cloudflare warp client

[developer861]

https://blog.cloudflare.com/zero-trust-warp-with-a-masque/

https://blog.cloudflare.com/unlocking-quic-proxying-potential/

https://blog.cloudflare.com/masque-building-a-new-protocol-into-cloudflare-warp/

[miaomiaosoft]

China quickly blocked the new protocol

[wkrp]

@miaomiaosoft what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

@developer861 these articles are all at least a few months old: 2024-03-06, 2022-03-20, 2023-06-22. Did something change recently with respect to Warp and MASQUE?

[miaomiaosoft]

@wkrp China has blocked the masque protocol. I'm not sure about the QUIC situation.

[wkrp]

@miaomiaosoft I must ask you to be more specific. "The MASQUE protocol" is QUIC. Can you point me to the source of your information, that leads you to say the MASQUE protocol is blocked? In order to be useful to researchers, the information must include some technical detail.

The 'Q' in MASQUE stands for QUIC: Multiplexed Application Substrate over QUIC Encryption. That is one of the main features of MASQUE, that it's not a new custom protocol, it's a tunnel over HTTP. Working group charter: "The primary goal of this working group is to develop mechanism(s) that allow configuring and concurrently running multiple proxied stream- and datagram-based flows inside an HTTP connection."

I can believe that Cloudflare Warp with MASQUE doesn't work with China. But there could be many causes of that. It doesn't necessarily mean that HTTP/3 or QUIC has been blocked. It could alternatively mean (more likely) that certain Cloudflare IP addresses or hostnames have been blocked. Or perhaps there is a distinctive feature in the way Warp uses MASQUE. Or maybe Cloudflare itself restricts access to Warp from China; I don't know, I'm not familiar with Warp.

When you say "China quickly blocked", do you know an approximate date?

87 is a past thread about Apple iCloud Private Relay, which is also based on MASQUE.

[dragonbreath2000]

China quickly blocked

Not from china but they probably just blocked the sni or speed throttled some cloudflare ip,this is not happened in Iran yet as much as I know ,but some providers like mci already throtled udp to almost all warp wireguard ip s(have not tested masque ip s)

[miaomiaosoft]

@wkrp Sorry, I'm not a professional and not in China, as much as I'd like to, I can't provide more detailed information.

I understand from this thread that China blocked the masque protocol over a month ago: https://www.v2ex.com/t/1074753

50 days ago, Cloudflare released an Android client that supported the masque protocol, it only survived for about three days, after which it was no longer available.

Maybe it blocked the protocol or blocked the IP, I'm not sure, only that it is no longer available in China.

[developer861]

@miaomiaosoft what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

https://github.com/XTLS/Xray-core/issues/3861#issue-2557994446

i don't know the details but @RPRX here stated that it could be blocked by GFW

@developer861 these articles are all at least a few months old: 2024-03-06, 2022-03-20, 2023-06-22. Did something change recently with respect to Warp and MASQUE?

i saw a tweet that said it's working in isps that are blocking the wireguard connection in iran

[Lanius-collaris]

what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

warp-cli tunnel endpoint set x.x.x.x:443 can force Cloudflare WARP client to use other endpoints, if Cloudflare's MASQUE mode is not blocked in China, users in China will be able to connect to Cloudflare WARP via UDP relay servers.

[alizohaib]

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com. This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE. So, it appears that it’s not the protocol or ingress IP ranges (Cloudflare Documentation) that are being throttled or blocked, but rather it's this TLS SNI that causes WARP to not work in China.