UDP Tunneling over HTTP/3 QUIC
Encapsulate any UDP protocol inside standard QUIC traffic.
To network observers, it looks like normal web browsing. DPI cannot distinguish your tunnel from YouTube.
Deep Packet Inspection (DPI) is how networks detect and block VPNs, proxies, and tunnels. MASQUE Ball defeats DPI by using the same protocol as regular web traffic.
OpenVPN, WireGuard, SOCKS5 — all have distinct protocol signatures. DPI identifies them in the first few packets.
Protocol: OpenVPN → BLOCKED
Protocol: WireGuard → BLOCKED
Your UDP tunnel is inside a standard QUIC connection — the same protocol used by Google, YouTube, Cloudflare.
Protocol: QUIC → ALLOWED (normal web)
DPI sees: TLS 1.3 + QUIC = web traffic
Standards-compliant MASQUE protocol. Not a proprietary hack — an IETF-approved tunneling method.
Built on quic-go. Full HTTP/3 server with QUIC datagrams enabled. Indistinguishable from any QUIC web server.
DNS, QUIC, WireGuard, game traffic, VoIP — any UDP protocol can be tunneled through the MASQUE proxy.
Private IP ranges blocked (10.0.0.0/8, 192.168.0.0/16, etc.). No tunneling to internal networks.
Semaphore-limited to 100 simultaneous UDP tunnels. Idle connections auto-close after inactivity.
No traffic content logged. Only connection metadata (client IP, target host:port) for rate limiting.
Tunnel UDP traffic through HTTP/3 QUIC.
# Endpoint pattern:
# https://synthetic-context.net:8444/.well-known/masque/udp/{target_host}/{target_port}/
# Example: DNS query through the tunnel
# Target: 1.1.1.1 port 53
# Transport: HTTP/3 QUIC (requires a QUIC-capable client)
# Using a MASQUE-aware client:
masque-client connect synthetic-context.net:8444 --target 1.1.1.1:53
# Health check (TCP, standard curl):
curl -s "https://synthetic-context.net/v1/masque/health"
# {"status":"ok","service":"masque-ball","version":"2.0","transport":"h3-quic"}
# Stats:
curl -s "https://synthetic-context.net/v1/masque/stats"
# {"total":42,"active":3,"bytes":1048576,"rejected":0,"transport":"h3-quic"}MASQUE Ball requires an HTTP/3-capable client. Standard curl uses TCP and cannot connect to the QUIC endpoint.
# Go client example (using quic-go):
import "github.com/quic-go/quic-go/http3"
rt := &http3.Transport{TLSClientConfig: tlsConf}
client := &http.Client{Transport: rt}
resp, _ := client.Post(
"https://synthetic-context.net:8444/.well-known/masque/udp/1.1.1.1/53/",
"application/octet-stream",
bytes.NewReader(dnsQuery),
)
// Read UDP response from resp.Body| Feature | MASQUE Ball | WireGuard | OpenVPN | Shadowsocks |
|---|---|---|---|---|
| DPI resistance | QUIC (web traffic) | Detectable | Detectable | Partial |
| Standards-based | RFC 9298 | RFC (draft) | Proprietary | Proprietary |
| UDP tunneling | Native | Native | Over TCP | SOCKS5 proxy |
| No client install | HTTP/3 client | Kernel module | Client app | Client app |
| Port 443 compatible | QUIC on 443 | 51820 | 443 TCP | Any port |
| Looks like | Normal web traffic | VPN | VPN/SSL | Random bytes |