Skip to content

MASQUE

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
proxies:
# masque
- name: "masque"
  type: masque
  server: server.com
  port: 443
  private-key: BASE64_ENCODED_PRIVATE_KEY
  public-key: BASE64_ENCODED_PUBLIC_KEY
  ip: 172.16.0.2/32
  ipv6: fd00::2/128
  mtu: 1280
  udp: true
  # Identifier of an outbound proxy. When non-empty, connections are sent through the specified proxy.
  # dialer-proxy: "ss1"
  # remote-dns-resolve: true # Force remote DNS resolution, default is false
  # dns: [ 1.1.1.1, 8.8.8.8 ] # Effective only when remote-dns-resolve is true
  # congestion-controller: bbr # Disabled by default
  # bbr-profile: "" # Available: "standard", "conservative", "aggressive". Default: "standard"

# masque-h2
- name: "masque-h2"
  type: masque
  server: server.com
  port: 443
  private-key: BASE64_ENCODED_PRIVATE_KEY
  public-key: BASE64_ENCODED_PUBLIC_KEY
  ip: 172.16.0.2/32
  ipv6: fd00::2/128
  mtu: 1280
  udp: true
  network: h2
  # Identifier of an outbound proxy. When non-empty, connections are sent through the specified proxy.
  # dialer-proxy: "ss1"
  # remote-dns-resolve: true # Force remote DNS resolution, default is false
  # dns: [ 1.1.1.1, 8.8.8.8 ] # Effective only when remote-dns-resolve is true

Get MASQUE configuration

Generate MASQUE configuration using the usque tool.

Common Fields

private-key

Required, base64-encoded ECDSA private key.

public-key

Required, base64-encoded ECDSA public key (server-side public key).

Note

Remove PEM header/footer markers such as -----BEGIN PUBLIC KEY-----, -----END PUBLIC KEY-----, and PEM line breaks \n.

ip

Local IPv4 address in CIDR format (e.g., 172.16.0.2/32).

ipv6

Local IPv6 address in CIDR format (e.g., fd00::2/128).

mtu

MTU size for the TUN device, defaults to 1280.

udp

Whether to enable UDP support, defaults to false.

remote-dns-resolve

Whether to enable remote DNS resolution through the MASQUE tunnel.

dns

List of remote DNS servers, takes effect when remote-dns-resolve is enabled.

congestion-controller

Overrides the default congestion control algorithm. Disabled by default. Available values include bbr.

network

Optional. Defaults to quic. For masque-h2, set it to h2.