Download Latest Version server-mas-cdn-linux.zip (29.7 MB)
Email in envelope

Get an email when there's a new version of UDP MASQUE Warp+/WebSocket CDN

Home
Name Modified Size InfoDownloads / Week
masque websocket client 2026-07-08
masque websocket vps server 2026-07-07
Illustrative device-share comparison.png 2026-07-07 94.4 kB
quic_masque_websocket_cdn_architecture.png 2026-07-07 267.1 kB
README.md 2026-07-07 8.2 kB
Totals: 5 Items   369.7 kB 1

Warp-over-WebSocket-CDN (QUIC MASQUE variant)

Bypass ISP throttling and DPI by tunneling Cloudflare Warp traffic over WebSocket with Host Header spoofing through major CDN networks (CloudFront / Cloudflare / Akamai) — using QUIC MASQUE (CONNECT-UDP) as the inner VPN transport.

Platform Protocol Tunnel License


What It Does

Many ISPs throttle or block VPN traffic using Deep Packet Inspection (DPI). Warp-over-WebSocket-CDN wraps QUIC MASQUE (RFC 9298 CONNECT-UDP) traffic inside a WebSocket connection with a spoofed Host header, routing traffic through major CDN edge networks (CloudFront, Cloudflare, or Akamai). To any firewall or DPI system, the traffic looks like a legitimate WebSocket upgrade to a CDN-hosted domain.

Result: Full Cloudflare Warp speed and privacy, even on heavily restricted networks — including campus, corporate, and ISP-level DPI systems.


Why WebSocket + CDN over plain SNI Tunneling?

Technique How DPI sees it Weakness
Raw QUIC MASQUE UDP/QUIC to known IP:443 Fingerprintable QUIC handshake; UDP often deprioritized/blocked
TLS/SNI tunnel TLS to spoofed SNI domain IP-based blocking still possible; no CDN relay
WebSocket + CDN (this project) WebSocket upgrade to trusted CDN domain CDN IP ranges are whitelisted by most ISPs

The CDN relay is the key upgrade: your traffic exits through Cloudflare, AWS CloudFront, or Akamai edge nodes — IP ranges that ISPs almost never block because doing so would break huge portions of the internet.


Architecture Overview

[Android App]
    └─► QUIC MASQUE (Warp+ config)
          └─► Tunnel client (WebSocket encapsulation)
                └─► Host: <CDN-hosted domain> (spoofed Host header)
                      └─► CDN Edge Node (CloudFront / Cloudflare / Akamai)
                            └─► [Your VPS — tunnel server]
                                  └─► Cloudflare Warp endpoint 162.159.192.1:443 (MASQUE)

The Host header names a real domain served by the CDN. The CDN routes the connection to your origin VPS. ISP DPI sees only a standard WebSocket handshake to a CDN IP — indistinguishable from normal app traffic.


Features

Feature Description
Anti-DPI QUIC MASQUE traffic hidden inside WebSocket frames
CDN Relay Traffic exits via CloudFront / Cloudflare / Akamai IP ranges (rarely blocked)
Host Header Spoofing Appears as a WebSocket upgrade to a trusted CDN domain
HTTP/HTTPS support Works on port 80 (ws://) and port 443 (wss://)
Domain Fronting CDN routes by Host header — survives SNI-based filtering
Double Encryption WebSocket TLS layer on top of QUIC's native TLS 1.3 encryption
No Root Required Runs entirely in Android user-space
Cloudflare Speed Preserves Warp/1.1.1.1 performance and DNS privacy
Connection Migration QUIC connection IDs survive Wi-Fi ↔ mobile handoffs without renegotiation

Requirements

  • Android: 7.0 or higher
  • VPS: Ubuntu 20.04+, public IP, port 80 and/or 443 open
  • CDN: Domain registered and proxied through CloudFront, Cloudflare, or Akamai
  • Apps:
  • MASQUE-capable client for Android (Play Store / F-Droid)
  • Tunnel client APK from Releases

Quick Start

1. CDN Setup

Point a domain (or subdomain) at your VPS IP using CloudFront, Cloudflare proxy, or Akamai. Make sure the CDN passes WebSocket upgrades to your origin.

Cloudflare example:

  • DNS A record: tunnel.yourdomain.com → your VPS IP, Proxied (orange cloud)
  • SSL/TLS mode: Full
  • WebSockets: Enabled (Network tab)

2. Server Setup

chmod +x setup-server.sh && ./setup-server.sh

Configures the WebSocket tunnel server on port 80 (and optionally 443), forwarding decapsulated QUIC MASQUE datagrams to 162.159.192.1:443.

3. Android Setup

  1. Install a MASQUE-capable client
  2. Install tunnel-client.apk from the Releases page
  3. Import warp.conf into the client
  4. Configure the tunnel client (see tunnel.conf template in configs/)
  5. Start tunnel client first, then enable the VPN profile

4. Verify

Visit 1.1.1.1/help — you should see an active Cloudflare Warp connection.


Host Header Presets

These are real CDN-hosted domains. The Host header tells the CDN which origin to route to; your own domain sits behind the same CDN so routing works correctly.

Host Header Domain CDN Use Case
support.appsflyer.com Cloudflare Default — general use
d1qq0afxwtfi6m.cloudfront.net AWS CloudFront Campus / corporate networks
ms.mw.cloud.front.net Azure CDN Microsoft-whitelisted environments
a104-98-96-10.deploy.static.akamaitechnologies.com Akamai Enterprise ISPs
zoom.us Cloudflare Video-call whitelisted networks

Custom host headers can be set in the tunnel client config file. The domain must resolve to the same CDN you are routing through.


Traffic Flow (Packet-Level)

Android app → local MASQUE proxy 127.0.0.1:51820
    ↓
Tunnel client encapsulates CONNECT-UDP datagrams in WebSocket frame
    ↓
TCP to CDN IP:80 (or :443)
Host: support.appsflyer.com        ← ISP/DPI sees this
Upgrade: websocket
    ↓
CDN edge node routes to your VPS (by Host header)
    ↓
Tunnel server strips WebSocket framing
    ↓
UDP → 162.159.192.1:443            ← Cloudflare Warp endpoint (MASQUE)

ISP DPI sees: TCP → [CDN IP]:80, Host: support.appsflyer.com, Upgrade: websocket
Actual payload: Encrypted QUIC MASQUE datagrams inside WebSocket binary frames.


Troubleshooting

Issue Fix
WebSocket connection refused Check CDN WebSocket passthrough is enabled; try port 443
301 redirect loop CDN SSL mode set to "Flexible" — change to "Full"
Frequent drops Switch Host to a more stable CDN domain (e.g. CloudFront subdomain)
High latency Choose a CDN with an edge node close to your location; move VPS closer
Tunnel client won't start Disable other VPN profiles first; re-grant VPN permissions
ISP still blocking Try port 443 (wss://); rotate Host header to a different CDN domain
101 Switching Protocols but no traffic Verify tunnel server UDP forward reaches 162.159.192.1:443

Project Structure

warp-over-ws-cdn-quic-masque/
├── README.md
├── ARCHITECTURE.md             ← Detailed architecture & data flow
├── setup-server.sh             ← VPS setup script
├── configs/
│   ├── warp.conf               ← MASQUE config template
│   └── tunnel.conf             ← Tunnel client config template
└── releases/
    └── tunnel-client.apk       ← Bundled Android tunnel client

Differences from SNI Tunnel Version

SNI Tunnel WebSocket + CDN (this project)
Transport TLS with spoofed SNI WebSocket with spoofed Host header
Relay Direct to VPS Via CDN edge (CloudFront/Cloudflare/Akamai)
IP blocking resistance Moderate High (CDN IPs are globally whitelisted)
Port 443 80 or 443
ISP fingerprinting TLS ClientHello SNI HTTP Upgrade headers
Setup complexity Low Medium (CDN setup required)

License

Server-side components: MIT License
Tunnel client APK: Proprietary — personal, non-commercial use only


Use only where permitted by local laws and your ISP's terms of service.
Source: README.md, updated 2026-07-07