CONNECT-IP server support

This CL adds server-side support for draft-ietf-masque-connect-ip-03. It also fixes a few bugs found in client code now that we can test it. This was confirmed to work on the Privacy Proxy test VM (cf go/privacy-proxy-vm).

To test, run these commands:
# On CloudTop / workstation
blaze build //third_party/quic/masque:masque_server && gsutil cp blaze-bin/third_party/quic/masque/masque_server gs://pp-toybox-server

# On VM
gsutil cp gs://pp-toybox-server/masque_server . && chmod +x masque_server && ./masque_server --gid= --uid= --logtostderr --v=1

# On CloudTop / workstation
blaze run //third_party/quic/masque:masque_client -- --alsologtostderr --v=1 --disable_certificate_verification --masque_mode=connect-ip

PiperOrigin-RevId: 485589201
8 files changed
tree: 80044db110ac1b0bc7f125c6b09a1adf7e136ddd
  1. build/
  2. depstool/
  3. quiche/
  4. .bazelrc
  5. BUILD.bazel
  10. WORKSPACE.bazel


QUICHE stands for QUIC, Http, Etc. It is Google‘s production-ready implementation of QUIC, HTTP/2, HTTP/3, and related protocols and tools. It powers Google’s servers, Chromium, Envoy, and other projects. It is actively developed and maintained.

There are two public QUICHE repositories. Either one may be used by embedders, as they are automatically kept in sync:

To embed QUICHE in your project, platform APIs need to be implemented and build files need to be created. Note that it is on the QUICHE team's roadmap to include default implementation for all platform APIs and to open-source build files. In the meanwhile, take a look at open source embedders like Chromium and Envoy to get started:

To contribute to QUICHE, follow instructions at

QUICHE is only supported on little-endian platforms.