Why we prefer MASQUE Relays versus VPNs for remote enterprise access

Linda Ikechukwu

Follow Smallstep

It’s a cold January morning in 2024. Alex Carter, a cybersecurity analyst at Global Affairs Canada (GAC), is poring over security logs when a flicker of unauthorized traffic grabs their attention. Noise? Maybe. Or something worse?

Moments later, more alerts roll in. Alex’s pulse quickens. This isn’t a blip—it’s an attack. A deep dive reveals the breach: sensitive data has been accessed through a compromised VPN used by remote employees. Emails, files, even calendars—everything is exposed.

“Boss, we’ve got a problem,” Alex calls out, heart pounding. Within minutes, staff are ordered to halt all remote work. Emails go out with dire warnings: “If you’ve used the VPN since December 20, 2023, assume your data is compromised.”

This scenario is fictional, but the breach is not. Global Affairs Canada (GAC) was hacked through a compromised VPN, joining the ranks of countless organizations that have suffered similar fates.

The problem isn’t VPNs as a technology—it’s how they’re deployed. VPNs are often easily configured wrongly to grant broad, unrestricted access to anyone with credentials. But if credentials can be stolen, copied, or shared, how can we trust the person or device connecting through the VPN?

Introducing MASQUE Relays: A Modern Alternative to VPNs

VPNs have long been the default solution for remote enterprise access, but as the stakes rise and threats evolve, they’re starting to show their age. MASQUE (Multiplexed Application Substrate over QUIC Encryption) is a modern application-layer standard that takes a fresh approach to securing traffic.

Defined in RFC9298, MASQUE combines the HTTP/3 and QUIC protocols to efficiently tunnel TCP and UDP traffic.

While MASQUE relays function like traditional proxies, what truly sets them apart is their use of modern protocols, yielding more efficient, secure, and flexible connections for various use cases, including but not limited to:

• Traffic anonymisation: MASQUE is the underlying standard powering Apple’s iCloud Private Relay, a feature that anonymizes browsing activity by splitting traffic between two proxies. When a user requests a webpage, the encrypted request first goes to an Apple proxy, which knows the user’s IP address but not the destination website, and then forwarded to a third-party proxy (e.g., Cloudflare or Akamai), which knows the destination but not the user’s IP address.
• Reverse proxying: MASQUE can securely route traffic between clients and internal applications without granting broad network access, unlike VPNs.
• Zero Trust Network Access with device policy enforcement for SaaS apps: MASQUE relays provides an efficient means to enforce access policies based on device identity, significantly reducing trust-based vulnerabilities. This is the use case we built our Enterprise Network Relay offering for, to securely connect clients to corporate web resources and SaaS apps that support IP allow lists like Salesforce, Workday, and MongoDB Atlas.

HTTP/3? QUIC? What are those? Why do they matter?

As mentioned, what really sets MASQUE relays apart from traditional proxies is the usage of HTTPS and QUIC.

Older proxies like HTTP or SOCKS are easy for firewalls and network administrators to block. They use predictable port numbers and behaviors that are simple to detect. MASQUE avoids these pitfalls by leveraging QUIC, a UDP-based transport protocol that encrypts traffic and operates dynamically, making it far harder to throttle or block.

HTTP/3 for data transfer

HTTP/3 is the latest version of the Hypertext Transfer Protocol, built on QUIC, a modern transport protocol designed to address TCP’s limitations. HTTP/1.1 allowed only one request per connection, causing delays. HTTP/2 introduced multiplexing, enabling multiple requests on the same connection.

However, it still suffered from transport-layer head-of-line (HOL) blocking wherein If a single packet is delayed or lost, the entire stream pauses until the missing packet is retransmitted. HTTP/3, running on QUIC, eliminates HOL blocking. Delays in one stream don’t affect others, making data transfers faster and more reliable.

HTTP/3 also simplifies handshakes. Unlike HTTP/1.1 and HTTP/2, which require separate handshakes for TCP and TLS, HTTP/3 combines transport and encryption handshakes into a single step. This reduces connection overhead, speeding up connection times.

Additionally, HTTP/3 significantly improves performance by simplifying session resumption. Instead of repeating a full handshake, it reuses parameters from previous connections. Under HTTP/2, resumption relies on TLS session tickets, requiring both TCP and TLS handshakes before reconnecting. By contrast, HTTP/3 leverages QUIC’s 0-RTT (zero round trip time) so clients can send encrypted data in the very first packet, cutting out delays and speeding up reconnections.

QUIC as the Transport Layer

QUIC (Quick UDP Internet Connections) is an encrypted-by-default Internet transport protocol (RFC9000) originally developed by Google. It builds on UDP’s flexibility by adding features that address reliability, with the goal of replacing TCP on the web.

Head-of-line (HOL) blocking, mentioned earlier, is even more severe in TCP-over-TCP communications, as seen with OpenVPN or IPSec VPNs. The outer TCP tunnel and the inner TCP flow (e.g., HTTPS traffic in the tunnel) each impose ordering and retransmissions, resulting in double retransmissions and compounding HOL blocking.

UDP-based VPNs such as WireGuard are more performant because it addresses double retransmissions by using transporting TCP over UDP avoiding the outer TCP layer’s retransmit overhead because UDP doesn’t enforce packet ordering or retransmissions. While this reduces latency and prevents double retransmissions, it doesn’t fully resolve HOL blocking, since the inner TCP stream still enforces ordering and reliability, causing potential delays at the application layer.

MASQUE sidesteps this entirely by using QUIC over UDP. UDP’s lack of built-in reliability avoids these issues, while QUIC adds the necessary features—like encryption and reliable delivery—without the baggage of TCP.

By building on QUIC, MASQUE delivers faster, more reliable connections with lower latency, even in high-loss environments.

What’s it like connecting to an internal resource via a MASQUE Network Relay?

MASQUE removes the need for the overly broad access VPNs grant by focusing on application-level proxying with device-level trust. Here’s how accessing an internal corporate resource works through a MASQUE relay:

1. Start the work day: You start your company-issued laptop, connect to your home Wi-Fi, and try to access an internal resource (e.g., internal.corporateportal.com). Your browser recognizes this domain as part of a configured network relay policy, installed via an MDM (Mobile Device Management) profile or pre-configured in your system. This policy will includes details such as the MASQUE relay server address and the domains or resources to route through the relay.
2. Device establishes a connection with MASQUE relay server: Once authenticated, your device establishes a QUIC connection to the MASQUE relay server, creating a secure, multiplexed transport channel over UDP. 
3. Browser encapsulates and send the request to MASQUE server: The browser encapsulates the HTTP request into a MASQUE HTTP/3 stream, including the IP address of the internal resource in the HOST header.
4. MASQUE relay server forwards request to internal resource: The MASQUE relay server receives the encapsulated request and determines its destination using the HTTP/3 headers. Without decrypting the content, the relay forwards the encrypted request to the internal resource, masking your source IP and replacing it with its own.
5. Internal resource sends a response: The internal resource processes the request and sends an encrypted HTTP/3 response back to the MASQUE relay.
6. MASQUE relay forwards response to client: The MASQUE relay forwards the encrypted response to your browser over the existing QUIC connection. As the relay cannot decrypt the traffic, the data remains private between your device and the internal resource.

Why we’re so over VPNs

Although VPNs allow for hardware-bound client credentials and device verification, these features are difficult to deploy and are easily misconfigured. As a result, in practice, access is often left broader than necessary, creating gaps that attackers can exploit.

image: Visualization of Double Encryption and Decryption in VPN Data Flow

Who holds the key to a lock should matter

With a VPN, anyone who can get their hands on the configuration profile or login credentials can access the network. Credentials are being stolen everyday through phishing, brute-force attacks, or malware.

Attackers can simply install the VPN client on their own device and authenticate with stolen credentials, exploiting the fact that these credentials are portable (i.e transferable), and do not verify the legitimacy of the user or their device.

Using tools like nmap or ICMP sweeps, attackers can map out the network, identifying live hosts, open ports, and exposed services. From there, they target vulnerabilities (e.g outdated SMB services), and use credential stuffing on internal systems or protocols like RDP to gain access and move laterally. Eventually, they pivot deep into the network to steal data, install ransomware, or establish persistent backdoors.

Trust, when given too freely, turns into a liability

Once an employee authenticates to a VPN, they’re implicitly trusted and often granted access to far more than they need. For instance, an employee may gain access to an entire subnet such as 10.0.0.0/8, which could include multiple servers and sensitive resources—even if they only require access to a single application.

The burden then falls on network administrators to manually restrict this access. They must define and maintain access control lists (ACLs) to limit IPs, ports, or protocols. This process is not only tedious but also highly prone to error and misconfiguration. Ensuring consistent policy enforcement across firewalls, routers, and other devices also adds layers of unnecessary complexity.

This problem becomes even worse in dynamic environments, such as the cloud. Virtual machines (VMs) and containers frequently change IPs or are ephemeral, making it almost impossible to keep routing rules and access policies updated.

The more hoops, the more time it takes

VPN usage introduces significant performance issues, especially at scale. A primary concern is increased network latency.

For example, when an employee accesses a corporate database, the traffic must first travel from their client device to the VPN server, then to the database, and back again—doubling the round-trip time compared to a direct connection. This compounded latency becomes especially problematic for database queries involving multiple requests per transaction.

Additionally, the overhead of double encryption—TLS between the browser and the web server, plus the encryption standard used by the VPN protocol—places a significant computational load on servers. This becomes particularly challenging when managing numerous simultaneous connections, slowing down traffic and reducing overall throughput. At scale, these inefficiencies become critical bottlenecks.

Finally, Most VPNs rely on TCP as their transport protocol, which enforces strict in-order packet delivery. Packet loss at the TCP level delays all streams sharing the connection. In a VPN setup, this issue compounds with the added latency and encryption overhead, making HOL blocking even more pronounced.

Why MASQUE relays rock

With fewer road bumps, the ride is smoother and faster

MASQUE relays outperform traditional VPNs by eliminating many sources of latency and inefficiency. Unlike VPNs, MASQUE doesn’t rely on complex session negotiations, the assignment of virtual IP addresses, or the routing of traffic through multiple hubs. Instead, traffic flows directly through a single MASQUE relay, minimizing overhead and reducing latency.

Leveraging QUIC and HTTP/3, MASQUE relays process independent streams efficiently, avoiding the bottlenecks and transport-layer delays that plague traditional protocols. The absence of head-of-line (HOL) blocking—common in TCP-based VPN setups—ensures that delays in one stream don’t cascade into others, resulting in faster, more reliable communication.

You get only what’s needed, when it’s needed

MASQUE relays inherently align with Zero Trust Network Access (ZTNA), offering fine-grained resource-specific access. While VPNs often grant broad access to entire subnets by default, MASQUE restricts users to specific applications or services based on pre-defined policies. This approach simplifies segmentation and avoids the manual, error-prone processes of configuring and maintaining VPN access control lists (ACLs). In dynamic cloud environments where resources frequently change, MASQUE’s adaptability makes it a superior choice.

Modern solutions for modern problems

MASQUE is built on modern web standards—QUIC and HTTP/3—making it future-ready and widely supported. These protocols are already integrated into major browsers like Chrome, Safari, and Firefox, as well as numerous web servers and CDNs (see support data from caniuse.com here). This broad compatibility ensures that MASQUE relays can be deployed seamlessly across diverse environments.

Additionally, MASQUE relays are deeply integrated into Apple’s macOS and iOS ecosystems for enterprise use cases, ensuring robust support for organizations invested in Apple hardware.

Because MASQUE is built on HTTP/3, it can easily integrate with cloud-native infrastructure like load balancers, edge networks, and horizontal scaling tools. This makes deploying MASQUE relays globally and at scale far simpler and more cost-effective than setting up traditional VPNs.

Final Thoughts: MASQUE or VPN?

Protocols may evolve, but our mission at Smallstep remains constant: to empower organizations to restrict access to sensitive resources exclusively to trusted devices and users, using cryptographic tokens for the strongest assurance.

We’re excited about what MASQUE relays bring to the table. That’s why we built the Smallstep Enterprise Relay to simplify cross-platform deployment of MASQUE-based solutions. It integrates seamlessly with SaaS applications supporting IP allowlists, authenticates clients using mutual TLS, and routes sensitive traffic so it appears to originate from the relay’s exclusive IP range—dedicated solely to your organization.

Enterprise Relay is currently under an entitlement. If you’re ready to try it out, contact us to unlock it for you..

Still using VPNs for remote access? We’ve got you covered there too. Smallstep supports certificate-based authentication for your VPN server, ensuring mutual authentication between clients and servers. Learn more here.