By transitioning the Cloudflare One Client to use QUIC streams for Proxy Mode, we eliminated the overhead of user-space TCP stacks, resulting in a 2x increase in throughput and significant latency reduction for end users.

Cloudflare's platform is a leading provider of internet security and performance solutions, offering insights into web security, content delivery, and DNS management. Through documentation, blog posts, and webinars, Cloudflare provides insights into protecting websites and applications from cyber threats and improving performance. Developers and IT professionals can learn about CDN (Content Delivery Network), DDoS mitigation, and firewall configurations to secure and accelerate web traffic.

Cloudflare

Cloudflare rebuilt the proxy mode in its Cloudflare One Client by replacing the WireGuard/smoltcp-based L3 approach with QUIC streams via HTTP/3 CONNECT (MASQUE). The old architecture required converting L4 TCP traffic into L3 packets using smoltcp, an embedded-systems TCP stack that lacked modern features, causing a performance ceiling. The new approach keeps traffic at Layer 4 by encapsulating it directly into QUIC streams, eliminating the user-space TCP stack overhead. Internal testing showed download and upload speeds doubled and latency dropped significantly. The update is available in Cloudflare One Client version 2025.8.779.0+ for Windows, macOS, and Linux, and requires setting the device tunnel protocol to MASQUE in the dashboard.

A QUICker SASE client: re-building Proxy Mode