### Linux Connect Script Example Source: https://github.com/diniboy1123/usque/blob/main/README.md An example shell script for the `--on-connect` hook on Linux. It replaces default routes and sets up DNS. The script uses `USQUE_IFACE` environment variable. ```shell #!/bin/sh set -e ip route replace 162.159.198.1/32 via 192.168.1.1 dev eth0 ip route del default || true ip route replace default dev "$USQUE_IFACE" ip -6 route replace default dev "$USQUE_IFACE" echo "nameserver 1.1.1.1" > /etc/resolv.conf ``` -------------------------------- ### HTTP Response Example Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md This is an example of an HTTP response received after a successful connection and request, indicating a 200 OK status and a 'Cf-Team' header. ```go &{200 OK 200 HTTP/3.0 3 0 map[Cf-Team:[2...redacted...1]] 0xc000114450 0 [] false false map[] } ``` -------------------------------- ### Windows Connect Script Example Source: https://github.com/diniboy1123/usque/blob/main/README.md An example batch script for the `--on-connect` hook on Windows. It modifies IPv4 and IPv6 routes using `netsh`. Environment variables are accessed using `%VAR_NAME%`. ```bat @rem C:\usque\up.bat @echo off netsh interface ipv4 delete route 0.0.0.0/0 "%USQUE_IFACE%" >nul 2>&1 netsh interface ipv4 add route 0.0.0.0/0 "%USQUE_IFACE%" 0.0.0.0 netsh interface ipv6 delete route ::/0 "%USQUE_IFACE%" >nul 2>&1 netsh interface ipv6 add route ::/0 "%USQUE_IFACE%" :: ``` -------------------------------- ### Start HTTP Proxy Source: https://github.com/diniboy1123/usque/blob/main/README.md Launches a HTTP proxy on 0.0.0.0:8000 with no authentication. Supports TCP traffic via HTTP CONNECT method. ```shell ./usque http-proxy ``` -------------------------------- ### Start Authenticated HTTP Proxy Source: https://github.com/diniboy1123/usque/blob/main/README.md Launches a HTTP proxy on a specific address and port with username and password authentication. ```shell ./usque http-proxy -b 127.0.0.1 -p 8080 -u myuser -w mypass ``` -------------------------------- ### Build Usque from Source Source: https://github.com/diniboy1123/usque/blob/main/README.md Build the Usque project using Go. Ensure Go is installed and you are in the project's root directory. This command produces an 'usque' binary. ```shell CGO_ENABLED=0 go build -ldflags="-s -w" . ``` -------------------------------- ### Start SOCKS5 Proxy Source: https://github.com/diniboy1123/usque/blob/main/README.md Launches a SOCKS5 proxy on 0.0.0.0:1080 with no authentication. Supports IPv4, IPv6, TCP, and UDP. ```shell ./usque socks ``` -------------------------------- ### Example Tunnel Endpoint Configuration Source: https://github.com/diniboy1123/usque/blob/main/README.md This JSON snippet shows an example of a tunnel endpoint configuration, specifically the IPv4 address. This is used for setting up manual routes. ```json "endpoint_v4": "162.159.198.1" ``` -------------------------------- ### Start Authenticated SOCKS5 Proxy Source: https://github.com/diniboy1123/usque/blob/main/README.md Launches a SOCKS5 proxy on a specific address and port with username and password authentication. ```shell ./usque socks -b 127.0.0.1 -p 8080 -u myuser -w mypass ``` -------------------------------- ### Start L4 HTTP Proxy Source: https://github.com/diniboy1123/usque/blob/main/README.md Launches a lightweight L4 HTTP proxy using direct HTTP/3 CONNECT streams. This mode is TCP-only. ```shell ./usque l4-http-proxy ``` -------------------------------- ### Start L4 SOCKS Proxy Source: https://github.com/diniboy1123/usque/blob/main/README.md Launches a lightweight L4 SOCKS proxy with SOCKS5 compatibility. This mode is TCP-only. ```shell ./usque l4-socks ``` -------------------------------- ### Windows Connect/Disconnect Hooks Example Source: https://github.com/diniboy1123/usque/blob/main/README.md This snippet demonstrates configuring Usque on Windows to use batch scripts for connect and disconnect events. Run Usque from an elevated Command Prompt for necessary privileges. ```cmd > usque.exe nativetun ^ --on-connect C:\usque\up.bat ^ --on-disconnect C:\usque\down.bat ``` -------------------------------- ### Run Usque L4 SOCKS5 Proxy Source: https://github.com/diniboy1123/usque/wiki/L4-proxy-mode Starts a SOCKS5-compatible proxy server on port 1080. This mode requires UDP and is limited to HTTP/3 (QUIC). ```console $ usque l4-socks 2026/06/16 20:56:16 CEST L4 SOCKS proxy listening on 0.0.0.0:1080 ``` -------------------------------- ### Linux Connect/Disconnect Hooks Example Source: https://github.com/diniboy1123/usque/blob/main/README.md This snippet shows how to configure Usque on Linux to execute custom scripts for connect and disconnect events. Ensure the scripts are executable and located at the specified paths. ```shell $ sudo ./usque nativetun \ --on-connect /etc/usque/up.sh \ --on-disconnect /etc/usque/down.sh ``` -------------------------------- ### SOCKS5 Mode Source: https://github.com/diniboy1123/usque/wiki/L4-proxy-mode Starts a SOCKS5-compatible proxy server using the L4 proxy mode. This mode requires UDP and is suitable for scenarios where HTTP/3 is supported. ```APIDOC ## SOCKS5 Mode Starts a SOCKS5-compatible proxy server. ### Usage ```console usque l4-socks ``` ### Output Example ``` 2026/06/16 20:56:16 CEST L4 SOCKS proxy listening on 0.0.0.0:1080 ``` ### Limitations - Requires UDP (HTTP/3). - UDP ASSOCIATE is not supported by the backend, so UDP targets will fail. - Custom SNI is not supported. ``` -------------------------------- ### Example Usque Configuration Source: https://github.com/diniboy1123/usque/blob/main/README.md This JSON object represents a typical configuration file for Usque. It includes sensitive fields like private_key and access_token, as well as public fields for network endpoints and device identification. Ensure confidential fields are kept secure. ```json { "private_key": "M...redacted...==", "endpoint_v4": "162.159.198.1", "endpoint_v6": "2606:4700:103::", "endpoint_h2_v4": "162.159.198.2", "endpoint_h2_v6": "", "endpoint_pub_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIaU7MToJm9NKp8YfGxR6r+/h4mcG\n7SxI8tsW8OR1A5tv/zCzVbCRRh2t87/kxnP6lAy0lkr7qYwu+ox+k3dr6w==\n-----END PUBLIC KEY-----\n", "license": "A...redacted...Z", "id": "00000000-0000-0000-0000-000000000000", "access_token": "00000000-0000-0000-0000-000000000000", "ipv4": "172.16.0.2", "ipv6": "2606:redacted:1" } ``` -------------------------------- ### HTTP Proxy Mode Source: https://github.com/diniboy1123/usque/wiki/L4-proxy-mode Starts an HTTP proxy server using the L4 proxy mode. This mode is an addition to usque and leverages the same underlying mechanism as the SOCKS5 L4 proxy. ```APIDOC ## HTTP Proxy Mode Starts an HTTP proxy server using the L4 proxy mode. ### Usage ```console usque l4-http-proxy ``` ### Output Example ``` 2026/06/16 21:01:59 CEST L4 HTTP proxy listening on 0.0.0.0:8000 ``` ### Limitations - Requires UDP (HTTP/3). - Custom SNI is not supported. ``` -------------------------------- ### Run Usque L4 HTTP Proxy Source: https://github.com/diniboy1123/usque/wiki/L4-proxy-mode Starts an HTTP proxy server on port 8000. This mode is unique to Usque and uses the same underlying L4 mechanism as the SOCKS5 proxy. ```console $ usque l4-http-proxy 2026/06/16 21:01:59 CEST L4 HTTP proxy listening on 0.0.0.0:8000 ``` -------------------------------- ### Configure Custom DNS Servers for SOCKS Proxy Source: https://github.com/diniboy1123/usque/blob/main/README.md Specify custom DNS servers to be used by the SOCKS proxy mode. This example demonstrates how to use Quad9 and Cloudflare's DNS servers. Multiple -d flags can be used to provide a list of DNS servers. ```shell $ ./usque socks -d 1.1.1.1 -d 1.0.0.1 -d 2606:4700:4700::1111 -d 2606:4700:4700::1001 ``` -------------------------------- ### Establish QUIC Connection and Dial with connect-ip-go Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md This snippet shows how to set up a QUIC connection and use the connectip.Dial function to establish a connection through a proxy. It requires setting up a UDP listener, performing a QUIC dial, and configuring an HTTP/3 transport. ```go proxyURITemplate := "https://cloudflareaccess.com/" udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4zero, Port: 0}) if err != nil { log.Fatalf("failed to listen udp: %v", err) } ccon, err := quic.Dial(ctx, udpConn, &net.UDPAddr{IP: net.ParseIP("162.159.198.1"), Port: 443}, tlsConf, &quic.Config{EnableDatagrams: true}) if err != nil { log.Fatalf("failed to dial: %v", err) } tr := &http3.Transport{EnableDatagrams: true} defer tr.Close() client, rsp, err := connectip.Dial(ctx, tr.NewClientConn(ccon), uritemplate.MustNew(proxyURITemplate)) if err != nil { log.Fatalf("failed to dial: %v", err) } defer client.Close() log.Printf("HTTP status: %v", rsp) req, err := connectip.ParseRequest(newRequest(proxyURITemplate), uritemplate.MustNew(proxyURITemplate)) if err != nil { log.Fatalf("failed to parse request: %v", err) } log.Printf("Request: %v", req) ``` -------------------------------- ### Enroll with New Configuration Data Source: https://github.com/diniboy1123/usque/blob/main/README.md After obtaining or creating a configuration, use the enroll command to refresh the config with new access token and ID data. The 'license' field will remain empty, which is normal for ZeroTrust. ```bash enroll ``` -------------------------------- ### Third-Party Project Integration Source: https://github.com/diniboy1123/usque/wiki/L4-proxy-mode Demonstrates how to integrate the L4 proxy functionality into third-party Go projects using the `api.NewL4Proxy` function and `api.L4ProxyConfig`. ```APIDOC ## Usage in 3rd-party projects Integrate the L4 proxy using the `api` package. ### Initialization ```go proxy, err := api.NewL4Proxy(api.L4ProxyConfig{ TLSConfig: tlsConfig, QUICConfig: quicConfig, Endpoint: endpoint, DNSResolver: resolver, ResolveLocally: true, }) if err != nil { return err } ``` ### Dialing a Connection ```go conn, err := proxy.DialContext(ctx, "example.com:443") ``` ### Local Hostname Resolution Implement `api.DNSResolver` and pass it in `L4ProxyConfig` for local hostname resolution. ``` -------------------------------- ### Load X.509 Key Pair and Configure TLS for QUIC Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md Loads an X.509 key pair and configures TLS settings for a QUIC connection. Ensure `certFile` and `keyFile` are valid paths. `ServerName` should match the target server. `InsecureSkipVerify` is used for testing but should be avoided in production. `KeyLogWriter` is useful for debugging QUIC traffic in Wireshark. ```go cert, err := tls.LoadX509KeyPair(certFile, keyFile) if err != nil { log.Fatalf("failed to load certificate: %v", err) } tlsConf := &tls.Config{ Certificates: []tls.Certificate{cert}, ServerName: "consumer-masque.cloudflareclient.com", // apparently useless, because golang cannot set the cipher suite for tls 1.3 //CipherSuites: []uint16{tls.TLS_AES_256_GCM_SHA384}, NextProtos: []string{http3.NextProtoH3}, KeyLogWriter: keyLogger, InsecureSkipVerify: true, } ``` -------------------------------- ### Display Usque CLI Help Information Source: https://github.com/diniboy1123/usque/blob/main/README.md Shows all available commands and flags for the Usque CLI. Use this to understand the CLI's capabilities. ```shell $ ./usque --help ``` -------------------------------- ### Establish QUIC Connection Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md Establishes a QUIC connection to a specified UDP address. Requires a pre-configured UDP connection and TLS configuration. `InitialPacketSize` can be tuned based on observed network traffic. `EnableDatagrams` allows for UDP-like datagrams over QUIC. ```go udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4zero, Port: 0}) if err != nil { log.Fatalf("failed to listen udp: %v", err) } conn, err := quic.Dial( ctx, udpConn, &net.UDPAddr{IP: net.ParseIP("162.159.198.1"), Port: 443}, tlsConf, &quic.Config{ EnableDatagrams: true, InitialPacketSize: 1242, }, ) if err != nil { log.Fatalf("failed to dial: %v", err) } ``` -------------------------------- ### Usque L4 Proxy API Usage Source: https://github.com/diniboy1123/usque/wiki/L4-proxy-mode Demonstrates how to initialize and use the L4 proxy programmatically in a Go application. Requires TLS, QUIC configurations, an endpoint, and a DNS resolver. ```go proxy, err := api.NewL4Proxy(api.L4ProxyConfig{ TLSConfig: tlsConfig, QUICConfig: quicConfig, Endpoint: endpoint, DNSResolver: resolver, ResolveLocally: true, }) if err != nil { return err } conn, err := proxy.DialContext(ctx, "example.com:443") ``` -------------------------------- ### Enable QUIC Logging with warp-cli Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md Enables qlogs for QUIC debugging using the `warp-cli` tool. Qlogs are JSON-formatted logs that can help in analyzing QUIC traffic. The logs are typically saved in `/var/lib/cloudflare-warp/qlogs/`. ```shell warp-cli debug qlog enable && warp-cli connect ``` -------------------------------- ### Register a New Usque Account Source: https://github.com/diniboy1123/usque/blob/main/README.md Creates a new Cloudflare Warp account and enrolls a MASQUE private key. This command should be run once to set up the initial configuration. ```shell $ ./usque register ``` -------------------------------- ### Build Usque Docker Image Source: https://github.com/diniboy1123/usque/blob/main/README.md Build the Docker image for the Usque tool. Ensure you are in the directory containing the Dockerfile. This command tags the image as 'usque:latest'. ```shell docker build -t usque:latest . ``` -------------------------------- ### Configure Port Forwarding with Usque Source: https://github.com/diniboy1123/usque/blob/main/README.md Use this command to forward ports between the host and the WARP network. Specify the internal IPv4 address of the host, the host port, and the target port for forwarding to the WARP network. Similarly, specify the target port on the host, the WARP network IP, and the WARP network port for forwarding from the WARP network to the host. Ensure IP addresses in the configuration are up to date. ```shell ./usque portfw -R 100.96.0.3:8080:localhost:8080 -L localhost:8081:100.96.0.2:8081 ``` -------------------------------- ### Display IP Configuration on Windows Source: https://github.com/diniboy1123/usque/blob/main/README.md This command shows the IP configuration for all network adapters. It is used to find the gateway address for your tunnel interface. ```cmd ipconfig ``` -------------------------------- ### Register for ZeroTrust JWT Source: https://github.com/diniboy1123/usque/blob/main/README.md Use the register command with a JWT to obtain a personal WARP configuration. This is useful for manually setting up a config file. ```bash ./usque register --jwt ``` -------------------------------- ### Add Default Routes on Windows Source: https://github.com/diniboy1123/usque/blob/main/README.md These commands set the default routes for IPv4 and IPv6 traffic through the tunnel interface. Replace '[TUNNEL_GATEWAY]' and '[TUN_INTERFACE_INDEX]' with your actual tunnel gateway and interface index. ```cmd route add 0.0.0.0 mask 0.0.0.0 [TUNNEL_GATEWAY] metric 1 if [TUN_INTERFACE_INDEX] route add ::/0 [TUNNEL_GATEWAY] metric 1 if [TUN_INTERFACE_INDEX] ``` -------------------------------- ### Increase UDP Buffer Sizes on Linux/BSD Source: https://github.com/diniboy1123/usque/blob/main/README.md Adjust the maximum UDP receive and send buffer sizes to improve network performance. This is recommended by quic-go for better throughput, especially on high-latency connections. Run these commands with root privileges. ```shell $ sudo sysctl -w net.core.rmem_max=7500000 $ sudo sysctl -w net.core.wmem_max=7500000 ``` -------------------------------- ### Print Route Table on Windows Source: https://github.com/diniboy1123/usque/blob/main/README.md This command displays the current routing table on Windows. It is used to identify the interface index for your regular network adapter. ```cmd route print ``` -------------------------------- ### Run Usque Docker Container Source: https://github.com/diniboy1123/usque/blob/main/README.md Run the Usque Docker container to spawn a SOCKS proxy. This command exposes the proxy on port 1080 and runs the container interactively. ```shell docker run -it --rm -p 1080:1080 usque:latest socks ``` -------------------------------- ### Cross-Compile Usque for Windows Source: https://github.com/diniboy1123/usque/blob/main/README.md Cross-compile the Usque project for Windows on a Linux system by setting GOOS and GOARCH environment variables. This command also produces an 'usque' binary. ```shell GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" . ``` -------------------------------- ### Test HTTP Proxy with Curl Source: https://github.com/diniboy1123/usque/blob/main/README.md Tests the HTTP proxy using curl to connect to a specified URL. ```shell curl -x http://myuser:mypass@localhost:8080 https://cloudflare.com/cdn-cgi/trace ``` -------------------------------- ### Test Tunnel Interface with Ping Source: https://github.com/diniboy1123/usque/blob/main/README.md Verify the tunnel interface is functional by pinging an IP address through it. Replace 'tun0' with your actual tunnel interface name if different. ```shell $ ping -I tun0 1.1 ``` -------------------------------- ### Execute Native Tunnel Mode Source: https://github.com/diniboy1123/usque/blob/main/README.md This command initiates the native tunnel mode. It typically requires root or administrator privileges. On Linux, a 'tun0' interface should appear; on Windows, it's usually named 'usque'. ```shell $ sudo ./usque nativetun ``` -------------------------------- ### Test SOCKS5 Proxy with Curl Source: https://github.com/diniboy1123/usque/blob/main/README.md Tests the SOCKS5 proxy using curl to connect to a specified URL. ```shell curl -x socks5://myuser:mypass@localhost:8080 https://cloudflare.com/cdn-cgi/trace ``` -------------------------------- ### Test Tunnel Interface with Curl Source: https://github.com/diniboy1123/usque/blob/main/README.md Use curl to test connectivity through the tunnel interface. Ensure to specify the correct interface name. ```shell $ curl --interface tun0 https://cloudflare.com/cdn-cgi/trace ``` -------------------------------- ### Add Default Routes on Linux Source: https://github.com/diniboy1123/usque/blob/main/README.md These commands set the default route for both IPv4 and IPv6 traffic to the tunnel interface. Replace 'tun0' with your actual tunnel interface name. ```shell $ sudo ip route add default dev tun0 && sudo ip -6 route add default dev tun0 ``` -------------------------------- ### Register MASQUE Protocol with API Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md This cURL command demonstrates how the client registers for the MASQUE protocol by sending a PATCH request to the Cloudflare API. It includes authorization, user agent, and content type headers, along with a JSON payload containing the key and key type. ```shell curl -H 'Authorization: Bearer 00000000-0000-0000-0000-000000000000' -H 'User-Agent: WARP for Android' -H 'CF-Client-Version: a-6.81-4616' -H 'Content-Type: application/json; charset=UTF-8' -H 'Connection: Keep-Alive' --compressed -X PATCH https://api.cloudflareclient.com/v0a4616/reg/00000000-0000-0000-0000-000000000000 -d '{"key":"M...redacted...==","key_type":"secp256r1","tunnel_type":"masque"}' ``` -------------------------------- ### Enroll Usque Device with Custom Name Source: https://github.com/diniboy1123/usque/blob/main/README.md Registers a new Usque account and specifies a custom name for the device using the -n flag. This is an optional step during registration. ```shell $ ./usque register -n ``` -------------------------------- ### Set SNI for Tunnel Connections Source: https://github.com/diniboy1123/usque/blob/main/README.md When using modes that involve tunnel connections, it is recommended to set the SNI to 'zt-masque.cloudflareclient.com' for optimal connection. The default 'consumer-masque.cloudflareclient.com' also works but is discouraged. ```bash -s zt-masque.cloudflareclient.com ``` -------------------------------- ### Register Usque Account with ZeroTrust JWT Source: https://github.com/diniboy1123/usque/blob/main/README.md Registers a new Usque account using a ZeroTrust team token. Obtain the token from the ZeroTrust success page or via browser console. ```shell $ ./usque register --jwt ``` -------------------------------- ### Add Route to Tunnel Endpoint on Windows Source: https://github.com/diniboy1123/usque/blob/main/README.md This command adds a specific route for the tunnel endpoint on Windows. Replace '162.159.198.1', '192.168.1.1', '12', and 'usque' with your actual network details. ```cmd route add 162.159.198.1 mask 255.255.255.255 192.168.1.1 metric 1 if 12 ``` -------------------------------- ### Enroll Existing Usque Device Source: https://github.com/diniboy1123/usque/blob/main/README.md Re-enrolls an existing MASQUE private key. This is useful for migrating between devices or switching from WireGuard to MASQUE. It refreshes the configuration with data from Cloudflare servers. ```shell $ ./usque enroll ``` -------------------------------- ### Add Route to Tunnel Endpoint on Linux Source: https://github.com/diniboy1123/usque/blob/main/README.md This command adds a specific route for the tunnel endpoint to your regular network interface. Replace '162.159.198.1', '192.168.1.1', and 'eth0' with your actual network details. ```shell $ sudo ip route add 162.159.198.1/32 via 192.168.1.1 dev eth0 ``` -------------------------------- ### Warp Hook JavaScript Script Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md A Frida script used for hooking functions related to the Warp functionality. This script was part of the research findings and was used to investigate function calls. ```javascript /* * This script is a part of the research into Connect-IP and its use of quiche for tunnel establishment. * It was provided as a starting point for hooking into the native processes. * The original script is available at: https://github.com/monkeywave/frida-scripts-collection/blob/main/warp_hook.js */ // Placeholder for actual script content if it were provided in the source. // The source text mentions this script but does not include its content. console.log("Warp hook script loaded. Actual implementation details are not provided in the source."); ``` -------------------------------- ### Wireshark Filter for QUIC Traffic Source: https://github.com/diniboy1123/usque/blob/main/RESEARCH.md This Wireshark filter helps isolate QUIC traffic related to the USQUE tunnel. It targets packets originating from or destined to the anycast IP address used by Warp clients. ```wireshark ip.dst == 162.159.198.1 || ip.src == 162.159.198.1 ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.