Contents

1 Preface
2 Why can MASQUE revive WARP?
- 2.1 WARP based on WireGuard protocol
- 2.2 New protocol “MASQUE”
3 How to configure MASQUE on each platform
- 3.1 The Zero Trust Approach
- 3.2 Non-Zero Trust Method
4 ios (iPhone and iPad)
5 Summarize

Preface

Since the beginning of June, WARP has been almost completely destroyed in China. For a large number of friends who use WARP as their main means of learning, it has been a devastating blow. Even I, who only use WARP as a backup method, have been affected and have to consider other backup methods.

However, there is good news: the latest version of the WARP client for iOS (the official version for Android is still to be expected, the Beta version is currently available) has been "temporarily" revived (why I say temporarily? I'll leave it as a mystery at the end of the article) by supporting the "MASQUE" protocol. I have tested WARP on iOS, iPad, Windows, and Mac and they have all returned to normal.

This article briefly describes the principles of the "MASQUE" protocol and how to configure the WARP client on various platforms to use the new protocol.

Why can MASQUE revive WARP?

WARP based on WireGuard protocol

WARP initially (2019) chose the WireGuard protocol because it has several significant advantages:

Simplicity and ease of use: WireGuard is designed to be very simple and has a small amount of code, which makes it easy to audit and maintain. Compared with other VPN protocols, WireGuard's implementation is more straightforward.
High performance: WireGuard uses modern encryption algorithms that provide low latency and high speed while maintaining security. This is very important for application scenarios that require fast response, such as games and video streaming.
Security: WireGuard uses the latest encryption technology to provide strong security and reduce the risk of security vulnerabilities.
Cross-platform support: WireGuard is able to run on multiple platforms such as Linux, Windows, macOS, iOS, and Android, enhancing its flexibility and usability.
Fast connection establishment: WireGuard takes a relatively short time to establish a connection, improving the user experience.

Therefore, choosing WireGuard as the basic protocol of WARP can help Cloudflare provide a faster, more secure and easier-to-use network connection experience.

However, although WireGuard is very popular among VPN solutions, it has not been formally included in the IETF (Internet Engineering Task Force) standard, so it has not been treated as a "first-class citizen" in the Internet world, which means that it may not be widely accepted or recognized in some environments (WireGuard uses the non-standard port 51820 by default, Zero Trust WARP changes it to port 2408, but this is still a non-standard port), especially under certain ISP or network management policies.

For customers who manage their own firewalls, this isn't a problem and they can simply allow the traffic. However, many public Wi-Fi spots and the approximately 7,000 ISPs worldwide are unaware of WireGuard and may block these ports, and some ISPs do so intentionally (well, who?).

In addition, WireGuard itself is just a VPN protocol, and the need for "obfuscation" was not considered at the beginning of its design (this is usually something that science or magic means should consider), so the traffic characteristics are very obvious. For ISPs, whether to ban or not depends on whether they are willing.

In the final analysis, WARP based on the WireGuard protocol is not suitable for occasions where "obfuscation" is required, because it is too easy to be targeted (refer to the current usage status of OpenVPN in China, it depends on whether you can tolerate regular packet drops).

New protocol “MASQUE”

MASQUE (Media Application Substrate for QUIC Encryption) is Cloudflare's new WARP protocol that uses and extends HTTP/3 and QUIC to enhance privacy and performance: it provides faster connections over the QUIC protocol while protecting user data from prying eyes.

Most relevant to WARP, QUIC provides better performance on low-latency networks or networks with high packet loss rates through packet merging and multiplexing. During the handshake process, QUIC packets in different contexts can be merged into the same UDP datagram, reducing the number of receptions and system interruptions; through multiplexing, QUIC can carry multiple HTTP sessions in the same UDP connection. WARP also benefits from the high confidentiality of QUIC, which uses TLS 1.3 in the protocol.

Simply put, MASQUE uses QUIC to replace the previous "WireGuard". Although it still uses the UDP protocol, it has changed from a non-standard port to a standard and encrypted port 443.

Note: Do you see the hidden danger?

Background knowledge:

QUIC and HTTP/3 The relationship between them can be summarized as:HTTP/3 is the next generation HTTP protocol built on the QUIC protocol.

1. QUIC is a transport layer protocol

• QUIC It is a new transport layer protocol originally developed by Google to replace TCP and optimize network transmission performance. QUIC is designed to combine the reliability of TCP and the speed of UDP, providing low latency and better connection recovery capabilities.
• It has built-in multiplexing, fast handshake (only one RTT or 0-RTT), and encryption (through TLS 1.3), which greatly improves transmission performance.

2. HTTP/3 based on QUIC

• HTTP/3 It is the latest version of the HTTP protocol, which replaces TCP-based HTTP/1.1 and HTTP/2 and uses QUIC as the underlying transport protocol.
• In HTTP/3, request and response data are transmitted through QUIC streams, using QUIC's multiplexing capability to avoid the "head of line blocking" problem in HTTP/2. QUIC's encryption and handshake mechanisms make HTTP/3 connections faster and more secure.

3. Improved performance

• HTTP/3 By using QUIC Improved data transfer performance, reduced latency, and increased connection speeds, especially in high-latency or unstable network environments.

How to configure MASQUE on each platform

For WARP clients on various platforms, as long as they are upgraded to the latest version, they actually support both "MASQUE" and "WireGuard" protocols. However, "WireGuard" has a higher priority and is the default choice. For users in other regions, this is a reasonable default value, but for friends in China, this is a pitfall, because the "WireGuard" method in China has been abolished. Therefore, the key is how to make the WARP client use the "MASQUE" method to connect.

The Zero Trust Approach

Note: For the relevant settings of CloudFlare Zero Trust and WARP, please refer to the article:The home data center series uses tunnel technology to allow home broadband without public IP to use cloudflare for free to quickly build a website (recommended)andHome Data Center Series Reasonable use of cloudflare WARP to improve the speed of accessing websites (desktop version), I won’t repeat it in the text.

If WARP is connected using Zero Trust, you only need to make simple settings on Zero Trust to let all connected WARP clients use the "MASQUE" protocol by default. This is the most convenient way, without having to mess with the client:

Configure "Default" directly in "Device settings":

Then WARP clients on all platforms (need to be upgraded to the latest version) can connect normally without making any changes on the client:

Non-Zero Trust Method

For other friends who cannot use the Zero Trust method, they need to go through some trouble and set it up separately on the client of each platform.

ios (iPhone and iPad)

This is the easiest. Just upgrade the WARP client to the latest version (6.25) and follow the steps below to set it up.
Click on the upper right corner option:

Select Advanced:

Select "Connection Options":

Select "MASQUE" for the tunnel protocol:

Then reconnect and you can see the familiar screen:

Note 1: To install WARP client on iOS or iPad or upgrade it to the latest version, you need an Apple ID from another region.

Note 2: If the WARP client is not a fresh installation, you need to delete the previous settings (delete the existing VPN policy in the WARP "Account" settings).

Note 3: If you want to use WARP+ in this way, you need to use other methods to obtain traffic (WARP has unlimited traffic, but WARP+ does not, and the Zero Trust method is directly WARP+ with unlimited traffic).

Note 4: I can connect using my home broadband, but I cannot connect using cellular data. However, if I connect using my home broadband and then use cellular data when I go out, I can continue to use it, but I cannot connect after disconnecting. I haven't investigated the specific reason, but I initially think it has something to do with DNS.

Note 5: The Android version seems to require WARP version 6.35 to support "MASQUE". Currently, the latest version of WARP in Google Play is 6.34. If you must use it now, you can join the Beta test, and there will be an additional "MASQUE" option like the iOS version.

Win10/Win11

1. First install (upgrade to) the latest version of WARP client:WARP win version client official download address.
2. Create a new "mdm.xml" file, paste the following content into the file and save it:

warp_tunnel_protocol masque

3. Copy the "mdm.xml" file to the path (this step is actually to directly tell the client to use MASQUE to link):

C:\ProgramData\Cloudflare

4. Completely exit the WARP client (kill the process in Task Manager), restart it, and then connect directly.

Mac

The Mac version of WARP client is a bit troublesome, although it has been upgraded to the latest version (WARP Mac version client official download address) has supported the "MASQUE" protocol, but like the Windows version, it does not provide a "MASQUE" setting. The Windows version can also use the "mdm.xml" method to let the WARP client select the "MASQUE" protocol, but the Mac version cannot.

In fact, I suggest that if you must use the Mac version of WARP now, use it in Zero Trust mode, otherwise wait a little longer.

But if you have to use it now, you can only use the beta version of WARP for Mac, the download address is as follows:Cloudflare WARP macOS Beta, after installing the Beta version, run the following command in the terminal to enable "MASQUE":

warp-cli tunnel protocol set MASQUE

Linux

WARP needs to be successfully deployed under Linux (see article:Deploy cloudflare warp on the home data center series cloud host to improve network access speed (Linux cli version)), after successful deployment, it is the same as under win, using the method of placing mdm.xml, you can directly use vim command:

vim /var/lib/cloudflare-warp/mdm.xml

Paste the contents of "mdm.xml" in the previous article, save and exit, then restart the WARP service and connect:

systemctl restart warp-svc warp-cli connect

If you are worried, you can also check the status:

warp-cli status

Note: If you use Zero Trust, you don’t have to bother with this part, so everyone should try to use the Zero Trust method, which is a one-time solution without having to bother with the client.

Summarize

Although WARP seems to be resurrected now, "MASQUE" based on QUIC has a huge hidden danger: it needs to use UDP port 443. This is stable for foreign networks because it is impossible to block UDP port 443, but it is not so good in China. As can be seen from the figure below, if I use WARP directly, I will be assigned to the SJC (San Jose Center) data center:

That is to say, the access will go abroad, and at this time it has to pass through a certain "wall". If a certain "wall" discards or rejects all requests from China with the target port being UDP port 443, then WARP will die again, so I used the word "temporarily" in the title.

But no matter what, WARP is now resurrected, although I don’t know how long it can survive.