Cloudflare Ones proxy mode now uses QUIC to keep traffic at the transport layer, removing legacy TCP conversion and delivering faster, more reliable connections for zero‑trust environments.

Architecture shift from L4‑to‑L3 to native L4 handling

The client no longer translates SOCKS5 or HTTP requests into IP packets instead it streams them directly over QUIC using the CONNECT method defined in HTTP/3. This change removes the smoltcp layer and aligns traffic with the intended protocol stack.

• Eliminates smoltcp conversion step, reducing processing overhead.
• Uses QUIC streams for L4 proxying, preserving end‑to‑end flow control.
• Integrates MASQUE (a QUIC extension) for packet‑level forwarding.
• Supports cross‑platform clients without kernel modifications.
• Provides a single‑code path for Windows, macOS, and Linux.

Performance benefits observed in testing

Internal benchmarks show clear gains when the new mode is enabled, especially for media‑rich browsing and large file transfers.

• Download and upload speeds roughly double compared with the legacy mode.
• Latency drops by more than 40%, improving interactive applications.
• Concurrent connection handling improves, reducing browser‑side stalls.
• QUICs congestion control adapts to variable network conditions automatically.
• Reduced MTU‑related issues thanks to active packet‑size probing.

Steps to enable the new proxy mode

Administrators can switch to the QUIC‑based proxy with a few configuration changes in the Cloudflare Teams console.

• Upgrade the client to version 2025.8.779.0 or later on all devices.
• Navigate to Teams → Resources → Devices → Device profiles.
• Select or create a profile, set Service mode to Local proxy mode.
• Choose MASQUE as the device tunnel protocol.
• Verify the active protocol with warp-cli settings | grep protocol.

For a deeper dive into scaling network services, see building a scalable real‑time payment orchestration framework. Additional guidance on cloud‑native architectures is available here.