bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

masque recently added to cloudflare warp client

Open developer861 opened this issue 1 year ago • 28 comments

https://blog.cloudflare.com/zero-trust-warp-with-a-masque/

https://blog.cloudflare.com/unlocking-quic-proxying-potential/

https://blog.cloudflare.com/masque-building-a-new-protocol-into-cloudflare-warp/

developer861 avatar Nov 08 '24 03:11 developer861

China quickly blocked the new protocol

miaomiaosoft avatar Nov 09 '24 08:11 miaomiaosoft

@miaomiaosoft what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

@developer861 these articles are all at least a few months old: 2024-03-06, 2022-03-20, 2023-06-22. Did something change recently with respect to Warp and MASQUE?

wkrp avatar Nov 11 '24 18:11 wkrp

@wkrp China has blocked the masque protocol. I'm not sure about the QUIC situation.

miaomiaosoft avatar Nov 11 '24 18:11 miaomiaosoft

@miaomiaosoft I must ask you to be more specific. "The MASQUE protocol" is QUIC. Can you point me to the source of your information, that leads you to say the MASQUE protocol is blocked? In order to be useful to researchers, the information must include some technical detail.

The 'Q' in MASQUE stands for QUIC: Multiplexed Application Substrate over QUIC Encryption. That is one of the main features of MASQUE, that it's not a new custom protocol, it's a tunnel over HTTP. Working group charter: "The primary goal of this working group is to develop mechanism(s) that allow configuring and concurrently running multiple proxied stream- and datagram-based flows inside an HTTP connection."

I can believe that Cloudflare Warp with MASQUE doesn't work with China. But there could be many causes of that. It doesn't necessarily mean that HTTP/3 or QUIC has been blocked. It could alternatively mean (more likely) that certain Cloudflare IP addresses or hostnames have been blocked. Or perhaps there is a distinctive feature in the way Warp uses MASQUE. Or maybe Cloudflare itself restricts access to Warp from China; I don't know, I'm not familiar with Warp.

When you say "China quickly blocked", do you know an approximate date?

#87 is a past thread about Apple iCloud Private Relay, which is also based on MASQUE.

wkrp avatar Nov 11 '24 18:11 wkrp

China quickly blocked

Not from china but they probably just blocked the sni or speed throttled some cloudflare ip,this is not happened in Iran yet as much as I know ,but some providers like mci already throtled udp to almost all warp wireguard ip s(have not tested masque ip s)

dragonbreath2000 avatar Nov 11 '24 20:11 dragonbreath2000

@wkrp Sorry, I'm not a professional and not in China, as much as I'd like to, I can't provide more detailed information.

I understand from this thread that China blocked the masque protocol over a month ago: https://www.v2ex.com/t/1074753

50 days ago, Cloudflare released an Android client that supported the masque protocol, it only survived for about three days, after which it was no longer available.

Maybe it blocked the protocol or blocked the IP, I'm not sure, only that it is no longer available in China.

miaomiaosoft avatar Nov 11 '24 21:11 miaomiaosoft

@miaomiaosoft what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

https://github.com/XTLS/Xray-core/issues/3861#issue-2557994446

i don't know the details but @RPRX here stated that it could be blocked by GFW

@developer861 these articles are all at least a few months old: 2024-03-06, 2022-03-20, 2023-06-22. Did something change recently with respect to Warp and MASQUE?

i saw a tweet that said it's working in isps that are blocking the wireguard connection in iran

developer861 avatar Nov 11 '24 22:11 developer861

what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

warp-cli tunnel endpoint set x.x.x.x:443 can force Cloudflare WARP client to use other endpoints, if Cloudflare's MASQUE mode is not blocked in China, users in China will be able to connect to Cloudflare WARP via UDP relay servers.

Lanius-collaris avatar Nov 12 '24 08:11 Lanius-collaris

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com. This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE. So, it appears that it’s not the protocol or ingress IP ranges (Cloudflare Documentation) that are being throttled or blocked, but rather it's this TLS SNI that causes WARP to not work in China.

alizohaib avatar Nov 13 '24 09:11 alizohaib

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com. This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE. So, it appears that it’s not the protocol or ingress IP ranges (Cloudflare Documentation) that are being throttled or blocked, but rather it's this TLS SNI that causes WARP to not work in China.

is there any way to fix this problem?

developer861 avatar Dec 12 '24 10:12 developer861

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com. This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE. So, it appears that it’s not the protocol or ingress IP ranges (Cloudflare Documentation) that are being throttled or blocked, but rather it's this TLS SNI that causes WARP to not work in China.

is there any way to fix this problem?

In the Cloudflare Zero Trust panel, disable DNS filtering, i.e. select the “Secure Web Gateway without DNS filtering” option. This works for me.

X-49 avatar Dec 12 '24 14:12 X-49

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com . This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE.

I sent multiple QUIC Initial Packets to Cloudflare WARP's default endpoints ( 162.159.198.1:443 and [2606:4700:103::1]:443 ) from China, with different SNIs ( www.ietf.org , mozilla.cloudflare-dns.com and cloudflare.f-droid.org ), but did not receive any Initial Packet from servers. If you repeat this test in other country, you will receive a self-signed certificate for masque.cloudflareclient.com . I also configured the official WARP client ( I installed it in a VM because it's a closed-source software ) to connect to my UDP relay outside China ( the port is chosen randomly ), the official client successfully connected to Cloudflare WARP in MASQUE mode, the SNI consumer-masque.cloudflareclient.com did not trigger blocking.

Lanius-collaris avatar Jan 23 '25 08:01 Lanius-collaris