A QUICker SASE Client: Re-Building Proxy Mode

The original Cloudflare One client proxy relied on a WireGuard tunnel that forced application‑layer TCP traffic through a Layer 3 conversion using smoltcp, a lightweight Rust stack designed for embedded devices. While functional, that approach introduced latency and limited throughput, especially when browsers opened dozens of concurrent connections for media‑rich sites. Users frequently reported sluggish browsing, slow file transfers, and degraded video calls, prompting security teams to question whether the proxy itself was the culprit.

By adopting QUIC and the MASQUE protocol, Cloudflare has shifted proxy traffic back to Layer 4, encapsulating data directly into QUIC streams via the HTTP/3 CONNECT method. This eliminates the need for packet‑level translation, unlocking modern congestion‑control algorithms and flow‑control mechanisms native to QUIC. Early internal testing recorded a 2× increase in both download and upload speeds and a substantial latency drop, delivering a user experience comparable to a direct connection while retaining zero‑trust protections.

The performance uplift has strategic implications for organizations deploying SASE. It enables seamless coexistence with legacy VPNs, supports high‑bandwidth application partitioning, and benefits developers who rely on SOCKS5 listeners for CLI tools. With the update available in client version 2025.8.779.0 across major operating systems, enterprises can quickly adopt the new proxy mode via the Cloudflare One dashboard, ensuring faster, more reliable secure access for remote workforces.