Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

masque recently added to cloudflare warp client #418

Open
developer861 opened this issue Nov 8, 2024 · 11 comments
Open

masque recently added to cloudflare warp client #418

developer861 opened this issue Nov 8, 2024 · 11 comments

Comments

@developer861
Copy link

https://blog.cloudflare.com/zero-trust-warp-with-a-masque/

https://blog.cloudflare.com/unlocking-quic-proxying-potential/

https://blog.cloudflare.com/masque-building-a-new-protocol-into-cloudflare-warp/

@miaomiaosoft
Copy link

China quickly blocked the new protocol

@wkrp
Copy link
Member

wkrp commented Nov 11, 2024

@miaomiaosoft what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

@developer861 these articles are all at least a few months old: 2024-03-06, 2022-03-20, 2023-06-22. Did something change recently with respect to Warp and MASQUE?

@miaomiaosoft
Copy link

@wkrp China has blocked the masque protocol.
I'm not sure about the QUIC situation.

@wkrp
Copy link
Member

wkrp commented Nov 11, 2024

@miaomiaosoft I must ask you to be more specific. "The MASQUE protocol" is QUIC. Can you point me to the source of your information, that leads you to say the MASQUE protocol is blocked? In order to be useful to researchers, the information must include some technical detail.

The 'Q' in MASQUE stands for QUIC: Multiplexed Application Substrate over QUIC Encryption. That is one of the main features of MASQUE, that it's not a new custom protocol, it's a tunnel over HTTP. Working group charter: "The primary goal of this working group is to develop mechanism(s) that allow configuring and concurrently running multiple proxied stream- and datagram-based flows inside an HTTP connection."

I can believe that Cloudflare Warp with MASQUE doesn't work with China. But there could be many causes of that. It doesn't necessarily mean that HTTP/3 or QUIC has been blocked. It could alternatively mean (more likely) that certain Cloudflare IP addresses or hostnames have been blocked. Or perhaps there is a distinctive feature in the way Warp uses MASQUE. Or maybe Cloudflare itself restricts access to Warp from China; I don't know, I'm not familiar with Warp.

When you say "China quickly blocked", do you know an approximate date?

#87 is a past thread about Apple iCloud Private Relay, which is also based on MASQUE.

@dragonbreath2000
Copy link

dragonbreath2000 commented Nov 11, 2024

China quickly blocked

Not from china but they probably just blocked the sni or speed throttled some cloudflare ip,this is not happened in Iran yet as much as I know ,but some providers like mci already throtled udp to almost all warp wireguard ip s(have not tested masque ip s)

@miaomiaosoft
Copy link

@wkrp Sorry, I'm not a professional and not in China, as much as I'd like to, I can't provide more detailed information.

I understand from this thread that China blocked the masque protocol over a month ago: https://www.v2ex.com/t/1074753

50 days ago, Cloudflare released an Android client that supported the masque protocol, it only survived for about three days, after which it was no longer available.

Maybe it blocked the protocol or blocked the IP, I'm not sure, only that it is no longer available in China.

@developer861
Copy link
Author

developer861 commented Nov 11, 2024

@miaomiaosoft what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

XTLS/Xray-core#3861 (comment)

i don't know the details but @RPRX here stated that it could be blocked by GFW

@developer861 these articles are all at least a few months old: 2024-03-06, 2022-03-20, 2023-06-22. Did something change recently with respect to Warp and MASQUE?

i saw a tweet that said it's working in isps that are blocking the wireguard connection in iran

@Lanius-collaris
Copy link

what do you mean by blocking the new protocol? The protocol should be HTTP/3; i.e., QUIC. HTTP/3, the protocol, is not blocked in China, as far as I know. Do you mean that the Warp endpoints (IP addresses or SNI) are blocked?

warp-cli tunnel endpoint set x.x.x.x:443 can force Cloudflare WARP client to use other endpoints, if Cloudflare's MASQUE mode is not blocked in China, users in China will be able to connect to Cloudflare WARP via UDP relay servers.

@alizohaib
Copy link

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com. This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE. So, it appears that it’s not the protocol or ingress IP ranges (Cloudflare Documentation) that are being throttled or blocked, but rather it's this TLS SNI that causes WARP to not work in China.

@developer861
Copy link
Author

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com. This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE. So, it appears that it’s not the protocol or ingress IP ranges (Cloudflare Documentation) that are being throttled or blocked, but rather it's this TLS SNI that causes WARP to not work in China.

is there any way to fix this problem?

@X-49
Copy link

X-49 commented Dec 12, 2024

From what I have tested, WARP client initiates a QUIC connection to its ingress proxy with the SNI consumer-masque.cloudflareclient.com. This specific SNI in the initial QUIC packet triggers blocking, causing subsequent packets to be dropped temporarily, which leads to disruptions for WARP connections that use MASQUE. So, it appears that it’s not the protocol or ingress IP ranges (Cloudflare Documentation) that are being throttled or blocked, but rather it's this TLS SNI that causes WARP to not work in China.

is there any way to fix this problem?

In the Cloudflare Zero Trust panel, disable DNS filtering, i.e. select the “Secure Web Gateway without DNS filtering” option. This works for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants