cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

📝Proxying QUIC traffic

Open victorstewart opened this issue 1 year ago • 4 comments

i'm guessing there's no way to proxy QUIC traffic over cloudflare tunnels?

i can't find this documented, but i'm guessing that only HTTP over TCP traffic is accepted, because Cloudflare adds an HTTP header of the originating client's ip:port, and then uses this to reroute the response back to the client?

the only solution i could imagine to this problem is if Cloudflare repackaged the originating packet + the originating client ip:port in some known structured line format, and then cloudflared and the origin server passed this back and forth.

victorstewart avatar Nov 13 '22 03:11 victorstewart

Hey @victorstewart ! Can you tell us a bit more on what you are trying to achieve?

Your observation is largely correct in that QUIC will not work with public hostnames.

However, it should work if you use the warp to tunnel setup like so: https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/

sudarshan-reddy avatar Nov 13 '22 18:11 sudarshan-reddy

cc: @abelinkinbio

sudarshan-reddy avatar Nov 13 '22 18:11 sudarshan-reddy

yes so instead of directly exposing my application servers to the public internet, i wanted to use cloudflare tunnels to benefit from both argo routing and bad actor traffic protection.

but my programs either speak QUIC or TCP+TLS, with a custom application protocol on top, so never HTTP (regardless of 2 or 3).

but digging through the documents last night, i imagined this can't possibly work... even if routing from clients to servers was done via IP hashing, there's no way to target packets from the server back to the client since the source address is a cloudflare IP.

also even if this was made to work, QUIC connections would break on IP migration as Cloudflare has no ability to read the QUIC connection ID and stably route on it. (unless you controlled the client code too and switched to the tunnel address after connection establishment).

anyway i think this will become a major issue for you all as QUIC eats the world, so something to think about.

my bare metal provider is already interconnected with Cloudflare though, so once my traffic volumes warrant the expense, my working assumption is i can accomplish what i desire (having Cloudflare front and route my traffic) with Magic Transit.

victorstewart avatar Nov 13 '22 18:11 victorstewart

MASQUE techniques might be a long term solution here, QUIC-aware proxying (proposed work in IETF) could theoretically allow traffic forwarding with Connection IDs. We should talk some more.

LPardue avatar Nov 13 '22 18:11 LPardue