Cloudflare Rebuilds Proxy Mode for Cloudflare One Client

Cloudflare has revamped its proxy mode for the Cloudflare One Client, a key component of its SASE (Secure Access Service Edge) platform. The update addresses performance issues associated with the previous implementation, which used a Layer 3 (L3) protocol (WireGuard) to handle Layer 4 (L4) traffic. This caused inefficiencies, particularly on media-heavy sites, resulting in high latency and sluggish load times.

Technical Improvements

To overcome these limitations, Cloudflare has introduced direct L4 proxying using QUIC (Quick UDP Internet Connections), a modern transport protocol that enables efficient and secure communication. The update leverages MASQUE (part of QUIC) for proxying IP packets and QUIC streams for direct L4 proxying. This architectural shift provides several technical advantages:

1. Bypassing smoltcp: Eliminating the L3 translation layer removes IP packet handling and the limitations of smoltcp's TCP implementation.
2. Native QUIC benefits: Cloudflare benefits from modern congestion control and flow control, handled natively by the transport layer.
3. Tuneability: The Client and Cloudflare's edge can tune QUIC's parameters to optimize performance.

Practical Implications

The update has significant implications for developers and users:

1. Improved performance: Download and upload speeds have doubled, and latency has decreased significantly.
2. Unblocked use cases: The update specifically unblocks three key common use cases:
   • Coexistence with third-party VPNs.
   • High-bandwidth application partitioning.
   • Streaming high-definition content or handling media-heavy sites.

Overall, Cloudflare's rebuild of proxy mode for the Cloudflare One Client has addressed performance issues and introduced a more efficient and secure solution for handling L4 traffic.