MASQUE Proxy on a VPS: HTTP/3 CONNECT-UDP Tunneling

MASQUE (Multiplexed Application Substrate over QUIC Encryption) is not a single protocol but an IETF framework for carrying tunneled traffic inside HTTP. Its key insight is that it does not invent a new wire protocol on a new port. Instead it reuses the HTTP/3 machinery that already runs on UDP port 443 for the entire modern web, and asks the server to relay your packets through it.

The mechanism rests on three published standards. RFC 9298 (Proxying UDP in HTTP) defines CONNECT-UDP: a client sends an extended CONNECT request with the pseudo-header :protocol = connect-udp and a target path such as /.well-known/masque/udp/example.com/443/, and the proxy opens a UDP socket to that destination on the client's behalf. RFC 9297 (HTTP Datagrams and the Capsule Protocol) defines how individual UDP packets ride inside the HTTP/3 connection as unreliable HTTP Datagrams, and how control messages are framed as capsules. RFC 9484 (Proxying IP in HTTP) extends the same idea to whole IP packets with CONNECT-IP, which is what a full VPN-style tunnel uses.

The flow is simple. Your client negotiates an HTTP/3 (QUIC) session with your server, signals support for HTTP Datagrams and the extended CONNECT method in the SETTINGS frame, then issues a CONNECT-UDP request naming the host and port it wants reached. From then on, every UDP datagram you send to the real destination is wrapped as an HTTP Datagram and tunneled through the one QUIC connection. To anything watching the network, it is one HTTP/3 conversation with a web server.

Most circumvention transports lose a cat-and-mouse game because they eventually present some static artifact a censor can match: a distinctive handshake, a fixed port, an unusual certificate, or a traffic shape that statistical classifiers learn. MASQUE's advantage is that it has none of those that are unique to it. The tunnel is carried as genuine HTTP/3, the same protocol that Google, Cloudflare, YouTube, and a growing share of all web traffic now use by default.

• It is real HTTP/3, not a mimic. Unlike approaches that imitate TLS, a MASQUE proxy is an HTTP/3 server. The QUIC handshake, the TLS 1.3 inside it, the ALPN value h3, and the packet cadence are all authentic because nothing is being faked.
• Everything is encrypted, including the request. The CONNECT-UDP request, the target host, and the tunneled payload all live inside QUIC's encryption. A passive observer sees encrypted QUIC to your server's IP on UDP 443 and cannot read the destination or tell proxying from page loads.
• Blocking the pattern blocks the web. A censor that drops QUIC on UDP 443, or that blocks the extended CONNECT method, degrades or breaks HTTP/3 for ordinary users on that network. Several production services, including iCloud Private Relay and Cloudflare WARP, already run MASQUE-style proxying at scale, so the traffic class is mainstream rather than exotic.
• It survives a forced TCP fallback. Where QUIC is blocked outright, MASQUE can also run over HTTP/2 on TCP 443, so a network that only permits TCP still carries the tunnel as normal-looking HTTPS.

The remaining attack surface is your endpoint, not the protocol: a censor can still blocklist a specific server IP once it identifies it. That is exactly why the value of MASQUE is unlocked by running it on your own clean, unflagged IP rather than a shared commercial endpoint that thousands of people advertise. A fresh offshore VPS IP gives you an address no blocklist has seen.

MASQUE is still earlier in its tooling cycle than VLESS or WireGuard, and browsers and cURL do not yet expose it directly, but several maintained open-source implementations let you run a working proxy today:

• masque-go (quic-go/masque-go) is a Go library implementing the RFC 9298 CONNECT-UDP proxy on top of the well-maintained quic-go QUIC stack. It is the most straightforward base for a small custom proxy and is widely used as a reference.
• masquerade (jromwu/masquerade) is a Rust server built on Cloudflare's quiche QUIC library. It implements CONNECT-UDP with HTTP Datagrams and conveniently exposes a local HTTP/1.1 or SOCKS5 listener on the client side, so existing apps can use the tunnel without native MASQUE support.
• usque (Diniboy1123/usque) is a Go reimplementation of the Cloudflare WARP client's MASQUE protocol, useful if you want to interoperate with that style of deployment.

For most self-hosters the practical pattern is: run the MASQUE server on your VPS bound to UDP 443, and run a client locally that presents a SOCKS5 or local HTTP proxy your browser and other apps point at. The client tunnels everything to your VPS as HTTP/3, and the VPS forwards it out to the real internet. Because the building blocks are libraries rather than turnkey apps, expect to compile a binary and write a short config rather than paste a one-line installer. That maturity gap is the main trade-off versus more established transports today.

A personal MASQUE endpoint is light: 1 vCPU and 512 MB to 1 GB of RAM is plenty, since QUIC is efficient and a single user generates little CPU load. An AnubizHost Romania VPS from $19.99/mo is a comfortable fit. After provisioning, SSH in and prepare the host:

apt update && apt upgrade -y
apt install -y git curl build-essential
# install the Go or Rust toolchain depending on the server you choose

The most important step is the listener and its TLS identity. MASQUE servers terminate a real HTTP/3 (QUIC) connection, so the server needs a TLS certificate. The cleanest approach is to point a subdomain at your VPS and issue a free certificate, so the endpoint looks like an ordinary HTTPS host:

# open UDP/TCP 443 only; keep SSH on a non-standard port
ufw allow 443/udp
ufw allow 443/tcp
# obtain a certificate for the hostname your client will connect to
certbot certonly --standalone -d masque.example.com

Then build your chosen server (for example go install a masque-go-based binary, or cargo build --release masquerade), and run it bound to 0.0.0.0:443 with the certificate and key, configured to accept the CONNECT-UDP method. On the client side, start the matching client pointed at https://masque.example.com/; with masquerade you then point your browser's SOCKS5 proxy at the local listener it exposes. Verify the tunnel by checking that your egress IP is the VPS, for example with curl --socks5 127.0.0.1:1080 https://ifconfig.co.

Hardening rules are the same discipline that protects any stealth endpoint: serve only the MASQUE listener on 443 so a scan of your IP finds a plain HTTP/3 host and nothing anomalous; keep SSH key-only on a non-standard, firewalled port; run a default-deny inbound firewall and fail2ban; and treat the server IP as disposable, ready to rotate if it is ever blocklisted. For multiple users or higher throughput an offshore dedicated server gives you the headroom and a dedicated IP, while a single offshore VPS is the right size for one person or a household.