[ZT] MASQUE (#15224)

* Add MASQUE setting

* update cipher suite names

* update captive portal options

* override local interface IP

* add MASQUE ports

* remove http3 link

* update npm

* add MASQUE to WARP architecture

* warp tunnel

* remove "optional"

* apply review feedback

* Update content/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/_index.md

retrigger build

content/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.md

@@ -18,7 +18,7 @@ The WARP client allows organizations to have granular control over the applicati
 | -----------|----------|---------|
 | Device orchestration | HTTPS | Perform user registration, check device posture, apply WARP profile settings. |
 | [DoH](https://www.cloudflare.com/learning/dns/dns-over-tls/) | HTTPS | Send DNS requests to Gateway for DNS policy enforcement. |
-| Wireguard | UDP | Send IP packets to Gateway for network policy enforcement, HTTP policy enforcement, and private network access. |
+| WARP tunnel ([via WireGuard or MASQUE](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol)) | UDP | Send IP packets to Gateway for network policy enforcement, HTTP policy enforcement, and private network access. |
 
 ```mermaid
 flowchart LR
@@ -36,11 +36,11 @@ end
 end
 W<--Device orchestration-->A
 D<--DoH-->G
-V<--Wireguard-->N
+V<--WARP tunnel-->N
 N --> O[(Application)]
 ```
 
-Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what traffic is sent down the Wireguard tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [DoH endpoint](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#doh-ip) and [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint do not obey Split Tunnel rules, since those connections always operate outside of the Wireguard tunnel.
+Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what traffic is sent down the WARP tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [DoH endpoint](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#doh-ip) and [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint do not obey Split Tunnel rules, since those connections always operate outside of the WARP tunnel.
 
 Next, you will learn how WARP configures your operating system to apply your Local Domain Fallback and Split Tunnel routing rules. Implementation details differ between desktop and mobile clients.
 
@@ -64,7 +64,7 @@ Browsers with DoH configured will bypass the local DNS proxy. You may need to di
 {{</Aside>}}
 
 Based on your Local Domain Fallback configuration, WARP will either forward the request to Gateway for DNS policy enforcement or forward the request to your private DNS resolver.
-- Requests to Gateway are sent over our [DoH connection](#overview) (outside of the Wireguard tunnel).
+- Requests to Gateway are sent over our [DoH connection](#overview) (outside of the WARP tunnel).
 - Requests to your private DNS resolver are sent either inside or outside of the tunnel depending on your Split Tunnel configuration. For more information, refer to [How the WARP client handles DNS requests](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests).
 
 ```mermaid
@@ -160,7 +160,7 @@ options trust-ad
 
 ### IP traffic
 
-When you turn on WARP, WARP makes three changes on the device to control if traffic is sent inside or outside of the Wireguard tunnel:
+When you turn on WARP, WARP makes three changes on the device to control if traffic is sent inside or outside of the WARP tunnel:
 
 - Creates a [virtual network interface](#virtual-interface).
 - Modifies the operating system [routing table](#routing-table) according to your Split Tunnel rules.
@@ -175,7 +175,7 @@ S -- No --> U["Virtual interface<br> (172.16.0.2)"] --> G[Cloudflare Gateway]
 
 #### Virtual interface
 
-Virtual interfaces allow the operating system to logically subdivide a physical interface, such as a network interface controller (NIC), into separate interfaces for the purposes of routing IP traffic. WARP’s virtual interface is what maintains the Wireguard connection between the device and Cloudflare. By default, its IP address is hardcoded as `172.16.0.2`. You can optionally use [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) to assign unique IPs per device.
+Virtual interfaces allow the operating system to logically subdivide a physical interface, such as a network interface controller (NIC), into separate interfaces for the purposes of routing IP traffic. WARP’s virtual interface is what maintains the WireGuard/MASQUE connection between the device and Cloudflare. By default, its IP address is hardcoded as `172.16.0.2`. You can use [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) to assign unique IPs per device.
 
 To view a list of all network interfaces on the operating system:
 
@@ -255,7 +255,7 @@ $ ip addr
 
 #### Routing table
 
-WARP edits the system routing table to control what traffic goes down the Wireguard tunnel to Gateway. The routing table indicates which network interface should handle packets to a particular IP address. By default, all traffic routes through WARP's virtual interface except for the IPs and domains on your Split Tunnel exclude list (which use the default interface on your device).
+WARP edits the system routing table to control what IP traffic goes to Gateway. The routing table indicates which network interface should handle packets to a particular IP address. By default, all traffic routes through WARP's virtual interface except for the IPs and domains on your Split Tunnel exclude list (which use the default interface on your device).
 
 You can verify that the routing table matches your Split Tunnel rules:
 

content/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/_index.md

@@ -74,7 +74,7 @@ When `Enabled`, the WARP client will [automatically install](/cloudflare-one/con
 
 Overrides the default IP address of WARP's [virtual network interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic) such that each device has its own unique local interface IP.
 
-This setting is primarily used to enable site-to-site connectivity with [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/). You can also use it when the default IP conflicts with other local services on your network.
+This setting is primarily used in conjunction with the [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) and for [MASQUE](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol). You can also use it when the default IP conflicts with other local services on your network.
 
 **Value:**
 
@@ -106,6 +106,34 @@ Since captive portal implementations vary, WARP may not detect all captive porta
 
 When `Enabled`, users have the option to switch between [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) mode and [Gateway with DoH mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh). This feature does not support switching between any other modes.
 
+### Device tunnel protocol
+
+{{<details header="Feature availability">}}
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| -- | -- |
+| <ul><li> Gateway with WARP</li><li> Secure Web Gateway without DNS filtering </li></ul>| All plans  |
+
+| System   | Availability | Minimum WARP version |
+| ---------| -------------| ---------------------|
+| Windows  | ✅           | 2024.6.415.0      |
+| macOS    | ✅           | 2024.6.416.0      |
+| Linux    | Coming soon           |       |
+| iOS      | Coming soon           |      |
+| Android  | Coming soon           |      |
+| ChromeOS | Coming soon           |      |
+
+{{</details>}}
+
+Configures the protocol used to route IP traffic from the device to Cloudflare Gateway. It may take up to 24 hours for all devices to switch to the new protocol. To check the active protocol on a device, open a terminal and run `warp-cli settings | grep protocol`.
+
+**Value**:
+
+- **WireGuard**: (default) Establishes a [WireGuard](https://www.wireguard.com/) connection to Cloudflare. The WARP client will encrypt traffic using a non-FIPs compliant cipher suite, `TLS_CHACHA20_POLY1305_SHA256`. When switching from MASQUE to WireGuard, users may lose Internet connectivity if their Wi-Fi network blocks the [ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) required for WireGuard to function.
+- **MASQUE** {{<inline-pill style="beta">}}: Establishes an HTTP/3 connection to Cloudflare. To use MASQUE, [Override local interface IP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) must be `Enabled`. The WARP client will encrypt traffic using TLS 1.3 and a [FIPS 140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) compliant cipher suite, `TLS_AES_256_GCM_SHA384`.
+
+For more details on WireGuard versus MASQUE, refer to our [blog post](https://blog.cloudflare.com/zero-trust-warp-with-a-masque).
+
 ### Lock WARP switch
 
 {{<details header="Feature availability">}}

content/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/captive-portals.md

@@ -12,7 +12,13 @@ Captive portals are used by public Wi-Fi networks (such as airports, coffee shop
 
 To allow users to connect through a captive portal, administrators can configure the following WARP settings:
 
+### No user interaction required
+
 - Enable [Captive portal detection](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#captive-portal-detection). This allows WARP to temporarily turn off when it detects a captive portal on the network. For more details, refer to [how captive portal detection works](#how-captive-portal-detection-works) and its [limitations](#limitations).
+- Set [Device tunnel protocol](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol) to **MASQUE**. When using MASQUE, WARP traffic will look like standard HTTPS traffic and is therefore less likely to be blocked by captive portals.
+
+### User interaction required
+
 - Enable [Lock WARP switch](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#lock-warp-switch) and enable [Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override). Users can contact the IT administrator for a one-time code that allows them to manually turn off WARP and connect to a portal.
 - For employees who travel, disable [Lock WARP switch](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#lock-warp-switch) and set an [Auto connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) duration. This allows the user to manually turn off WARP without contacting IT.
 

content/cloudflare-one/connections/connect-devices/warp/deployment/firewall.md

@@ -33,19 +33,17 @@ When you [log in to your Zero Trust organization](/cloudflare-one/connections/co
 
 ## WARP ingress IP
 
-These are the IP addresses that the WARP client will connect to. All traffic from your device to the Cloudflare edge will go through these IP addresses.
+WARP connects to the following IP addresses, depending on which [tunnel protocol](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol) is configured for your device. All network traffic from your device to Cloudflare goes through these IPs and ports over UDP.
 
-- IPv4 Range: `162.159.193.0/24`
-- IPv6 Range: `2606:4700:100::/48`
+| Tunnel protocol | IPv4 | IPv6  | Default port | Fallback ports |
+| ---------------------- | ---- | ---- | ---------- | ------------  |
+| WireGuard             | `162.159.193.0/24` | `2606:4700:100::/48` | `UDP 2408` | `UDP 500` </br> `UDP 1701` </br> `UDP 4500` |
+| MASQUE                | `162.159.197.0/24` | `2606:4700:102::/48` | `UDP 443`| `UDP 4443` </br> `UDP 8443` </br> `UDP 8095`|
 
 {{<Aside type="note">}}
 Before you [log in to your Zero Trust organization](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP services ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust deployments.
 {{</Aside>}}
 
-### WARP UDP ports
-
-WARP utilizes UDP for all of its communications. By default, the UDP port required for WARP is `UDP 2408`. WARP can fallback to `UDP 500`, `UDP 1701`, or `UDP 4500`.
-
 ## Captive portal
 
 The following domains are used as part of our captive portal check:

content/cloudflare-one/connections/connect-networks/private-net/cloudflared/_index.md

@@ -10,7 +10,7 @@ A private network has two primary components: the server and the client. The ser
 
 On the client side, end users connect to Cloudflare's global network using the Cloudflare WARP client. The WARP client can be rolled out to your entire organization in just a few minutes using your in-house MDM tooling.  When users connect to an IP made available through Cloudflare Tunnel, WARP sends their connection through Cloudflare’s network to the corresponding tunnel.
 
-![Diagram displaying connections between a device, WireGuard tunnel, Cloudflare Tunnel and a public cloud.](/images/cloudflare-one/connections/private-ips-diagram.png)
+![Diagram displaying connections between a device, Cloudflare, and a public cloud.](/images/cloudflare-one/connections/private-ips-diagram.png)
 
 To enable remote access to your private network, follow the guide below.