v4.11.0

feat(remoteingress-core): add UDP tunneling support between edge and hub
v4.10.0
2026-03-19 12:02:41 +00:00 · 2026-03-19 12:02:41 +00:00 · 2026-03-19 10:44:22 +00:00 · 2026-03-19 10:44:22 +00:00 · 2026-03-18 00:30:03 +00:00 · 2026-03-18 00:30:03 +00:00
18 changed files with 3329 additions and 383 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,11 +1,61 @@
 # Changelog

-## 2026-03-17 - 4.8.14 - fix(rust-core,protocol)
-eliminate edge stream registration races and reduce frame buffering copies
+## 2026-03-19 - 4.11.0 - feat(remoteingress-core)
+add UDP tunneling support between edge and hub

- replace Vec<u8> tunnel/frame buffers with bytes::Bytes and BytesMut for lower-copy frame parsing and queueing
- move edge stream ownership into the main I/O loop with explicit register and cleanup channels to ensure streams are registered before OPEN processing
- add proactive send window clamping so active streams converge immediately to adaptive flow-control targets
+- extend edge and hub handshake/config updates with UDP listen ports
+- add UDP tunnel frame types and PROXY protocol v2 header helpers in the protocol crate
+- introduce UDP session management on the edge and upstream UDP forwarding on the hub
+- add Node.js integration tests covering UDP echo and concurrent datagrams
+- expose UDP listen port configuration in the TypeScript hub API
+
+## 2026-03-19 - 4.10.0 - feat(core,edge,hub,transport)
+add QUIC tunnel transport support with optional edge transport selection
+
+- adds a shared transport module with QUIC configuration helpers, control message framing, and PROXY header handling
+- enables the hub to accept QUIC connections on the tunnel port alongside existing TCP/TLS support
+- adds edge transportMode configuration with quic and quicWithFallback options and propagates it through restarts
+- includes end-to-end QUIC transport tests covering large payloads and concurrent streams
+
+## 2026-03-18 - 4.9.1 - fix(readme)
+document QoS tiers, heartbeat frames, and adaptive flow control in the protocol overview
+
+- Adds PING, PONG, WINDOW_UPDATE, and WINDOW_UPDATE_BACK frame types to the protocol documentation
+- Describes the 3-tier priority queues for control, normal data, and sustained traffic
+- Explains sustained stream classification and adaptive per-stream window sizing
+
+## 2026-03-18 - 4.9.0 - feat(protocol)
+add sustained-stream tunnel scheduling to isolate high-throughput traffic
+
+- Introduce a third low-priority sustained queue in TunnelIo with a forced drain budget to prevent long-lived high-bandwidth streams from starving control and normal data frames.
+- Classify upload and download streams as sustained after exceeding the throughput threshold for the minimum duration, and route their DATA and CLOSE frames through the sustained channel.
+- Wire the new sustained channel through edge and hub stream handling so sustained traffic is scheduled consistently on both sides of the tunnel.
+
+## 2026-03-18 - 4.8.19 - fix(remoteingress-protocol)
+reduce per-stream flow control windows and increase control channel buffering
+
+- Lower the initial and maximum per-stream window from 16MB to 4MB and scale adaptive windows against a 200MB total budget with a 1MB minimum.
+- Increase edge and hub control frame channel capacity from 256 to 512 to better handle prioritized control traffic.
+- Update flow-control tests and comments to reflect the new window sizing and budget behavior.
+
+## 2026-03-17 - 4.8.18 - fix(rust-protocol)
+switch tunnel frame buffers from Vec<u8> to Bytes to reduce copying and memory overhead
+
+- Add the bytes crate to core and protocol crates
+- Update frame encoding, reader payloads, channel queues, and stream backchannels to use Bytes
+- Adjust edge and hub data/control paths to send framed payloads as Bytes
+
+## 2026-03-17 - 4.8.17 - fix(protocol)
+increase per-stream flow control windows and remove adaptive read caps
+
+- Raise the initial per-stream window from 4MB to 16MB and expand the adaptive window budget to 800MB with a 4MB floor
+- Stop limiting edge and hub reads by the adaptive per-stream target window, keeping reads capped only by the current window and 32KB chunk size
+- Update protocol tests to match the new adaptive window scaling and budget boundaries
+
+## 2026-03-17 - 4.8.16 - fix(release)
+bump package version to 4.8.15
+
+- Updates the package.json version field from 4.8.13 to 4.8.15.

 ## 2026-03-17 - 4.8.13 - fix(remoteingress-protocol)
 require a flush after each written frame to bound TLS buffer growth
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@serve.zone/remoteingress",
-  "version": "4.8.14",
+  "version": "4.11.0",
  "private": false,
  "description": "Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.",
  "main": "dist_ts/index.js",
--- a/readme.md
+++ b/readme.md
@@ -17,7 +17,7 @@ pnpm install @serve.zone/remoteingress
 `@serve.zone/remoteingress` uses a **Hub/Edge** topology with a high-performance Rust core and a TypeScript API surface:

 ```
-┌─────────────────────┐          TLS Tunnel           ┌─────────────────────┐
+┌─────────────────────┐          TLS Tunnel            ┌─────────────────────┐
 │   Network Edge      │  ◄══════════════════════════►  │   Private Cluster   │
 │                     │   (multiplexed frames +        │                     │
 │  RemoteIngressEdge  │    shared-secret auth)         │  RemoteIngressHub   │
@@ -48,6 +48,8 @@ pnpm install @serve.zone/remoteingress
 - 🎛️ **Dynamic port configuration** — the hub assigns listen ports per edge and can hot-reload them at runtime via `FRAME_CONFIG` frames
 - 📣 **Event-driven** — both Hub and Edge extend `EventEmitter` for real-time monitoring
 - ⚡ **Rust core** — all frame encoding, TLS, and TCP proxying happen in native code for maximum throughput
+- 🎚️ **3-tier QoS** — control frames, normal data, and sustained (elephant flow) traffic each get their own priority queue
+- 📊 **Adaptive flow control** — per-stream windows scale with active stream count to prevent memory overuse

 ## 🚀 Usage

@@ -280,6 +282,10 @@ The tunnel uses a custom binary frame protocol over TLS:
 | `DATA_BACK` | `0x04` | Hub → Edge | Response data flowing downstream |
 | `CLOSE_BACK` | `0x05` | Hub → Edge | Upstream (SmartProxy) closed the connection |
 | `CONFIG` | `0x06` | Hub → Edge | Runtime configuration update (e.g. port changes); payload is JSON |
+| `PING` | `0x07` | Hub → Edge | Heartbeat probe (sent every 15s) |
+| `PONG` | `0x08` | Edge → Hub | Heartbeat response |
+| `WINDOW_UPDATE` | `0x09` | Edge → Hub | Per-stream flow control: edge consumed N bytes, hub can send more |
+| `WINDOW_UPDATE_BACK` | `0x0A` | Hub → Edge | Per-stream flow control: hub consumed N bytes, edge can send more |

 Max payload size per frame: **16 MB**. Stream IDs are 32-bit unsigned integers.

@@ -292,6 +298,42 @@ Max payload size per frame: **16 MB**. Stream IDs are 32-bit unsigned integers.
 5. Frame protocol begins — `OPEN`/`DATA`/`CLOSE` frames flow in both directions
 6. Hub can push `CONFIG` frames at any time to update the edge's listen ports

+## 🎚️ QoS & Flow Control
+
+The tunnel multiplexer uses a **3-tier priority system** and **per-stream flow control** to ensure fair bandwidth sharing across thousands of concurrent streams.
+
+### Priority Tiers
+
+All outbound frames are queued into one of three priority levels:
+
+| Tier | Queue | Frames | Behavior |
+|------|-------|--------|----------|
+| 🔴 **Control** (highest) | `ctrl_queue` | PING, PONG, WINDOW_UPDATE, OPEN, CLOSE, CONFIG | Always drained first. Never delayed. |
+| 🟡 **Data** (normal) | `data_queue` | DATA, DATA_BACK from normal streams | Drained when ctrl is empty. Gated at 64 buffered items for backpressure. |
+| 🟢 **Sustained** (lowest) | `sustained_queue` | DATA, DATA_BACK from elephant flows | Drained freely when ctrl+data are empty. Otherwise guaranteed **1 MB/s** via forced drain every second. |
+
+This prevents large bulk transfers (e.g. git clones, file downloads) from starving interactive traffic and ensures `WINDOW_UPDATE` frames are never delayed — which would cause flow control deadlocks.
+
+### Sustained Stream Classification
+
+A stream is automatically classified as **sustained** (elephant flow) when:
+- It has been active for **>10 seconds**, AND
+- Its average throughput exceeds **20 Mbit/s** (2.5 MB/s)
+
+Once classified, the stream's flow control window is locked to the **1 MB floor** and its data frames move to the lowest-priority queue. Classification is one-way — a stream never gets promoted back to normal.
+
+### Adaptive Per-Stream Windows
+
+Each stream has a send window that limits bytes-in-flight. The window size adapts to the number of active streams using a shared **200 MB memory budget**:
+
+| Active Streams | Window per Stream |
+|---|---|
+| 1–50 | 4 MB (maximum) |
+| 51–100 | Scales down (4 MB → 2 MB) |
+| 200+ | 1 MB (floor) |
+
+The consumer sends `WINDOW_UPDATE` frames after processing data, allowing the producer to send more. This prevents any single stream from consuming unbounded memory and provides natural backpressure.
+
 ## 💡 Example Scenarios

 ### 1. Expose a Private Kubernetes Cluster to the Internet
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -95,6 +95,12 @@ version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"

+[[package]]
+name = "bumpalo"
+version = "3.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
+
 [[package]]
 name = "bytes"
 version = "1.11.1"
@@ -113,12 +119,24 @@ dependencies = [
 "shlex",
 ]

+[[package]]
+name = "cesu8"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
+
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"

+[[package]]
+name = "cfg_aliases"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
+
 [[package]]
 name = "clap"
 version = "4.5.58"
@@ -174,6 +192,32 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"

+[[package]]
+name = "combine"
+version = "4.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
+dependencies = [
+ "bytes",
+ "memchr",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
 [[package]]
 name = "deranged"
 version = "0.5.6"
@@ -222,6 +266,18 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

+[[package]]
+name = "fastbloom"
+version = "0.14.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e7f34442dbe69c60fe8eaf58a8cafff81a1f278816d8ab4db255b3bef4ac3c4"
+dependencies = [
+ "getrandom 0.3.4",
+ "libm",
+ "rand",
+ "siphasher",
+]
+
 [[package]]
 name = "find-msvc-tools"
 version = "0.1.9"
@@ -253,8 +309,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
 dependencies = [
 "cfg-if",
+ "js-sys",
 "libc",
 "wasi",
+ "wasm-bindgen",
 ]

 [[package]]
@@ -264,9 +322,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
 dependencies = [
 "cfg-if",
+ "js-sys",
 "libc",
 "r-efi",
 "wasip2",
+ "wasm-bindgen",
 ]

 [[package]]
@@ -311,6 +371,28 @@ dependencies = [
 "syn",
 ]

+[[package]]
+name = "jni"
+version = "0.21.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97"
+dependencies = [
+ "cesu8",
+ "cfg-if",
+ "combine",
+ "jni-sys",
+ "log",
+ "thiserror 1.0.69",
+ "walkdir",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
+
 [[package]]
 name = "jobserver"
 version = "0.1.34"
@@ -321,12 +403,28 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "js-sys"
+version = "0.3.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "libc"
 version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"

+[[package]]
+name = "libm"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"
+
 [[package]]
 name = "libmimalloc-sys"
 version = "0.1.44"
@@ -352,6 +450,12 @@ version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"

+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
 [[package]]
 name = "memchr"
 version = "2.8.0"
@@ -396,6 +500,12 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"

+[[package]]
+name = "openssl-probe"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
+
 [[package]]
 name = "parking_lot"
 version = "0.12.5"
@@ -456,6 +566,15 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"

+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.106"
@@ -465,6 +584,63 @@ dependencies = [
 "unicode-ident",
 ]

+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2 0.6.2",
+ "thiserror 2.0.18",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
+dependencies = [
+ "bytes",
+ "fastbloom",
+ "getrandom 0.3.4",
+ "lru-slab",
+ "rand",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "rustls-platform-verifier",
+ "slab",
+ "thiserror 2.0.18",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2 0.6.2",
+ "tracing",
+ "windows-sys 0.60.2",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.44"
@@ -480,6 +656,35 @@ version = "5.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"

+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
 [[package]]
 name = "rcgen"
 version = "0.13.2"
@@ -553,6 +758,7 @@ version = "2.0.0"
 dependencies = [
 "bytes",
 "log",
+ "quinn",
 "rcgen",
 "remoteingress-protocol",
 "rustls",
@@ -589,6 +795,12 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
 [[package]]
 name = "rustls"
 version = "0.23.36"
@@ -605,6 +817,18 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "rustls-native-certs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
+dependencies = [
+ "openssl-probe",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
 [[package]]
 name = "rustls-pemfile"
 version = "2.2.0"
@@ -620,9 +844,37 @@ version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
 dependencies = [
+ "web-time",
 "zeroize",
 ]

+[[package]]
+name = "rustls-platform-verifier"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
+dependencies = [
+ "core-foundation",
+ "core-foundation-sys",
+ "jni",
+ "log",
+ "once_cell",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-platform-verifier-android",
+ "rustls-webpki",
+ "security-framework",
+ "security-framework-sys",
+ "webpki-root-certs",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "rustls-platform-verifier-android"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
+
 [[package]]
 name = "rustls-webpki"
 version = "0.103.9"
@@ -635,12 +887,59 @@ dependencies = [
 "untrusted",
 ]

+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "schannel"
+version = "0.1.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

+[[package]]
+name = "security-framework"
+version = "3.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -700,6 +999,18 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "siphasher"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e"
+
+[[package]]
+name = "slab"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
+
 [[package]]
 name = "smallvec"
 version = "1.15.1"
@@ -749,6 +1060,46 @@ dependencies = [
 "unicode-ident",
 ]

+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl 2.0.18",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "time"
 version = "0.3.47"
@@ -768,6 +1119,21 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"

+[[package]]
+name = "tinyvec"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
 [[package]]
 name = "tokio"
 version = "1.49.0"
@@ -819,6 +1185,26 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "tracing"
+version = "0.1.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
+dependencies = [
+ "log",
+ "pin-project-lite",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
+dependencies = [
+ "once_cell",
+]
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.24"
@@ -837,6 +1223,16 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"

+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "wasi"
 version = "0.11.1+wasi-snapshot-preview1"
@@ -852,12 +1248,94 @@ dependencies = [
 "wit-bindgen",
 ]

+[[package]]
+name = "wasm-bindgen"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
+dependencies = [
+ "bumpalo",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-root-certs"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "804f18a4ac2676ffb4e8b5b5fa9ae38af06df08162314f96a68d2a363e21a8ca"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"

+[[package]]
+name = "windows-sys"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
+dependencies = [
+ "windows-targets 0.42.2",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -885,6 +1363,21 @@ dependencies = [
 "windows-link",
 ]

+[[package]]
+name = "windows-targets"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -918,6 +1411,12 @@ dependencies = [
 "windows_x86_64_msvc 0.53.1",
 ]

+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -930,6 +1429,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"

+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -942,6 +1447,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"

+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -966,6 +1477,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"

+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -978,6 +1495,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"

+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -990,6 +1513,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"

+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -1002,6 +1531,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"

+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -1029,6 +1564,26 @@ dependencies = [
 "time",
 ]

+[[package]]
+name = "zerocopy"
+version = "0.8.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "zeroize"
 version = "1.8.2"
--- a/rust/crates/remoteingress-core/Cargo.toml
+++ b/rust/crates/remoteingress-core/Cargo.toml
@@ -16,3 +16,4 @@ log = "0.4"
 rustls-pemfile = "2"
 tokio-util = "0.7"
 socket2 = "0.5"
+quinn = "0.11"
--- a/rust/crates/remoteingress-core/src/edge.rs
+++ b/rust/crates/remoteingress-core/src/edge.rs
--- a/rust/crates/remoteingress-core/src/hub.rs
+++ b/rust/crates/remoteingress-core/src/hub.rs
@@ -3,7 +3,7 @@ use std::sync::Arc;
 use std::sync::atomic::{AtomicU32, Ordering};
 use std::time::Duration;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::net::{TcpListener, TcpStream};
+use tokio::net::{TcpListener, TcpStream, UdpSocket};
 use tokio::sync::{mpsc, Mutex, Notify, RwLock, Semaphore};
 use tokio::time::{interval, sleep_until, Instant};
 use tokio_rustls::TlsAcceptor;
@@ -12,6 +12,7 @@ use serde::{Deserialize, Serialize};

 use bytes::Bytes;
 use remoteingress_protocol::*;
+use crate::transport::quic as quic_transport;

 type HubTlsStream = tokio_rustls::server::TlsStream<TcpStream>;

@@ -22,6 +23,14 @@ enum FrameAction {
    Disconnect(String),
 }

+/// Per-UDP-session state tracked in the hub.
+struct HubUdpSessionState {
+    /// Channel for forwarding datagrams from edge to the upstream UdpSocket task.
+    data_tx: mpsc::Sender<Bytes>,
+    /// Cancellation token for this session's upstream task.
+    cancel_token: CancellationToken,
+}
+
 /// Per-stream state tracked in the hub's stream map.
 struct HubStreamState {
    /// Unbounded channel to deliver FRAME_DATA payloads to the upstream writer task.
@@ -68,6 +77,8 @@ pub struct AllowedEdge {
    pub secret: String,
    #[serde(default)]
    pub listen_ports: Vec<u16>,
+    #[serde(default)]
+    pub listen_ports_udp: Vec<u16>,
    pub stun_interval_secs: Option<u64>,
 }

@@ -76,6 +87,8 @@ pub struct AllowedEdge {
 #[serde(rename_all = "camelCase")]
 struct HandshakeResponse {
    listen_ports: Vec<u16>,
+    #[serde(default)]
+    listen_ports_udp: Vec<u16>,
    stun_interval_secs: u64,
 }

@@ -84,6 +97,8 @@ struct HandshakeResponse {
 #[serde(rename_all = "camelCase")]
 pub struct EdgeConfigUpdate {
    pub listen_ports: Vec<u16>,
+    #[serde(default)]
+    pub listen_ports_udp: Vec<u16>,
 }

 /// Runtime status of a connected edge.
@@ -178,12 +193,13 @@ impl TunnelHub {
            if let Some(info) = connected.get(&edge.id) {
                // Check if ports changed compared to old config
                let ports_changed = match map.get(&edge.id) {
-                    Some(old) => old.listen_ports != edge.listen_ports,
+                    Some(old) => old.listen_ports != edge.listen_ports || old.listen_ports_udp != edge.listen_ports_udp,
                    None => true, // newly allowed edge that's already connected
                };
                if ports_changed {
                    let update = EdgeConfigUpdate {
                        listen_ports: edge.listen_ports.clone(),
+                        listen_ports_udp: edge.listen_ports_udp.clone(),
                    };
                    let _ = info.config_tx.try_send(update);
                }
@@ -216,14 +232,35 @@ impl TunnelHub {
        }
    }

-    /// Start the hub — listen for TLS connections from edges.
+    /// Start the hub — listen for TLS connections (TCP) and QUIC connections (UDP) from edges.
    pub async fn start(&self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
        let config = self.config.read().await.clone();
        let tls_config = build_tls_config(&config)?;
-        let acceptor = TlsAcceptor::from(Arc::new(tls_config));
+        let acceptor = TlsAcceptor::from(Arc::new(tls_config.clone()));

        let listener = TcpListener::bind(("0.0.0.0", config.tunnel_port)).await?;
-        log::info!("Hub listening on port {}", config.tunnel_port);
+        log::info!("Hub listening on TCP port {}", config.tunnel_port);
+
+        // Start QUIC endpoint on the same port (UDP)
+        let quic_endpoint = match quic_transport::build_quic_server_config(tls_config) {
+            Ok(quic_server_config) => {
+                let bind_addr: std::net::SocketAddr = ([0, 0, 0, 0], config.tunnel_port).into();
+                match quinn::Endpoint::server(quic_server_config, bind_addr) {
+                    Ok(ep) => {
+                        log::info!("Hub listening on QUIC/UDP port {}", config.tunnel_port);
+                        Some(ep)
+                    }
+                    Err(e) => {
+                        log::warn!("Failed to start QUIC endpoint: {} (QUIC disabled)", e);
+                        None
+                    }
+                }
+            }
+            Err(e) => {
+                log::warn!("Failed to build QUIC server config: {} (QUIC disabled)", e);
+                None
+            }
+        };

        let (shutdown_tx, mut shutdown_rx) = mpsc::channel::<()>(1);
        *self.shutdown_tx.lock().await = Some(shutdown_tx);
@@ -236,12 +273,62 @@ impl TunnelHub {
        let hub_token = self.cancel_token.clone();

        tokio::spawn(async move {
+            // Spawn QUIC acceptor as a separate task
+            let quic_handle = if let Some(quic_ep) = quic_endpoint {
+                let allowed_q = allowed.clone();
+                let connected_q = connected.clone();
+                let event_tx_q = event_tx.clone();
+                let target_q = target_host.clone();
+                let hub_token_q = hub_token.clone();
+                Some(tokio::spawn(async move {
+                    loop {
+                        tokio::select! {
+                            incoming = quic_ep.accept() => {
+                                match incoming {
+                                    Some(incoming) => {
+                                        let allowed = allowed_q.clone();
+                                        let connected = connected_q.clone();
+                                        let event_tx = event_tx_q.clone();
+                                        let target = target_q.clone();
+                                        let edge_token = hub_token_q.child_token();
+                                        let peer_addr = incoming.remote_address().ip().to_string();
+                                        tokio::spawn(async move {
+                                            // Accept the QUIC connection
+                                            let quic_conn = match incoming.await {
+                                                Ok(c) => c,
+                                                Err(e) => {
+                                                    log::error!("QUIC connection error: {}", e);
+                                                    return;
+                                                }
+                                            };
+                                            if let Err(e) = handle_edge_connection_quic(
+                                                quic_conn, allowed, connected, event_tx, target, edge_token, peer_addr,
+                                            ).await {
+                                                log::error!("QUIC edge connection error: {}", e);
+                                            }
+                                        });
+                                    }
+                                    None => {
+                                        log::info!("QUIC endpoint closed");
+                                        break;
+                                    }
+                                }
+                            }
+                            _ = hub_token_q.cancelled() => break,
+                        }
+                    }
+                }))
+            } else {
+                None
+            };
+
+            // TCP+TLS acceptor loop
            loop {
                tokio::select! {
                    result = listener.accept() => {
                        match result {
                            Ok((stream, addr)) => {
-                                log::info!("Edge connection from {}", addr);
+                                log::info!("Edge connection from {} (TCP+TLS)", addr);
                                let acceptor = acceptor.clone();
                                let allowed = allowed.clone();
                                let connected = connected.clone();
@@ -272,6 +359,11 @@ impl TunnelHub {
                    }
                }
            }
+
+            // Abort QUIC acceptor if running
+            if let Some(h) = quic_handle {
+                h.abort();
+            }
        });

        Ok(())
@@ -304,12 +396,14 @@ async fn handle_hub_frame(
    frame: Frame,
    tunnel_io: &mut remoteingress_protocol::TunnelIo<HubTlsStream>,
    streams: &mut HashMap<u32, HubStreamState>,
+    udp_sessions: &mut HashMap<u32, HubUdpSessionState>,
    stream_semaphore: &Arc<Semaphore>,
    edge_stream_count: &Arc<AtomicU32>,
    edge_id: &str,
    event_tx: &mpsc::Sender<HubEvent>,
    ctrl_tx: &mpsc::Sender<Bytes>,
    data_tx: &mpsc::Sender<Bytes>,
+    sustained_tx: &mpsc::Sender<Bytes>,
    target_host: &str,
    edge_token: &CancellationToken,
    cleanup_tx: &mpsc::Sender<u32>,
@@ -338,6 +432,7 @@ async fn handle_hub_frame(
            let cleanup = cleanup_tx.clone();
            let writer_tx = ctrl_tx.clone();   // control: CLOSE_BACK, WINDOW_UPDATE_BACK
            let data_writer_tx = data_tx.clone(); // data: DATA_BACK
+            let sustained_writer_tx = sustained_tx.clone(); // sustained: DATA_BACK from elephant flows
            let target = target_host.to_string();
            let stream_token = edge_token.child_token();

@@ -349,7 +444,7 @@ async fn handle_hub_frame(
            // Create channel for data from edge to this stream
            let (stream_data_tx, mut stream_data_rx) = mpsc::unbounded_channel::<Bytes>();
            // Adaptive initial window: scale with current stream count
-            // to keep total in-flight data within the 32MB budget.
+            // to keep total in-flight data within the 200MB budget.
            let initial_window = compute_window_for_stream_count(
                edge_stream_count.load(Ordering::Relaxed),
            );
@@ -458,6 +553,9 @@ async fn handle_hub_frame(
                    // with per-stream flow control (check send_window before reading).
                    // Zero-copy: read payload directly after the header, then prepend header.
                    let mut buf = vec![0u8; FRAME_HEADER_SIZE + 32768];
+                    let mut dl_bytes_sent: u64 = 0;
+                    let dl_start = tokio::time::Instant::now();
+                    let mut is_sustained = false;
                    loop {
                        // Wait for send window to have capacity (with stall timeout).
                        // Safe pattern: register notified BEFORE checking the condition
@@ -479,12 +577,11 @@ async fn handle_hub_frame(
                        }
                        if stream_token.is_cancelled() { break; }

-                        // Proactive QoS: clamp send_window to current adaptive target so existing
-                        // streams converge immediately when concurrency increases (no drain cycle).
-                        let adaptive_target = remoteingress_protocol::compute_window_for_stream_count(
-                            stream_counter.load(Ordering::Relaxed),
-                        );
-                        let w = remoteingress_protocol::clamp_send_window(&send_window, adaptive_target) as usize;
+                        // Limit read size to available window.
+                        // IMPORTANT: if window is 0 (stall timeout fired), we must NOT
+                        // read into an empty buffer — read(&mut buf[..0]) returns Ok(0)
+                        // which would be falsely interpreted as EOF.
+                        let w = send_window.load(Ordering::Acquire) as usize;
                        if w == 0 {
                            log::warn!("Stream {} download: window still 0 after stall timeout, closing", stream_id);
                            break;
@@ -499,8 +596,21 @@ async fn handle_hub_frame(
                                        send_window.fetch_sub(n as u32, Ordering::Release);
                                        encode_frame_header(&mut buf, stream_id, FRAME_DATA_BACK, n);
                                        let frame = Bytes::copy_from_slice(&buf[..FRAME_HEADER_SIZE + n]);
+                                        // Sustained classification: >2.5 MB/s for >10 seconds
+                                        dl_bytes_sent += n as u64;
+                                        if !is_sustained {
+                                            let elapsed = dl_start.elapsed().as_secs();
+                                            if elapsed >= remoteingress_protocol::SUSTAINED_MIN_DURATION_SECS
+                                                && dl_bytes_sent / elapsed >= remoteingress_protocol::SUSTAINED_THRESHOLD_BPS
+                                            {
+                                                is_sustained = true;
+                                                log::debug!("Stream {} classified as sustained (download, {} bytes in {}s)",
+                                                    stream_id, dl_bytes_sent, elapsed);
+                                            }
+                                        }
+                                        let tx = if is_sustained { &sustained_writer_tx } else { &data_writer_tx };
                                        let sent = tokio::select! {
-                                            result = data_writer_tx.send(frame) => result.is_ok(),
+                                            result = tx.send(frame) => result.is_ok(),
                                            _ = stream_token.cancelled() => false,
                                        };
                                        if !sent { break; }
@@ -512,12 +622,13 @@ async fn handle_hub_frame(
                        }
                    }

-                    // Send CLOSE_BACK via DATA channel (must arrive AFTER last DATA_BACK).
+                    // Send CLOSE_BACK via same channel as DATA_BACK (must arrive AFTER last DATA_BACK).
                    // select! with cancellation guard prevents indefinite blocking if tunnel dies.
                    if !stream_token.is_cancelled() {
                        let close_frame = encode_frame(stream_id, FRAME_CLOSE_BACK, &[]);
+                        let tx = if is_sustained { &sustained_writer_tx } else { &data_writer_tx };
                        tokio::select! {
-                            _ = data_writer_tx.send(close_frame) => {}
+                            _ = tx.send(close_frame) => {}
                            _ = stream_token.cancelled() => {}
                        }
                    }
@@ -529,7 +640,9 @@ async fn handle_hub_frame(

                if let Err(e) = result {
                    log::error!("Stream {} error: {}", stream_id, e);
-                    // Send CLOSE_BACK via DATA channel on error (must arrive after any DATA_BACK).
+                    // Send CLOSE_BACK on error (must arrive after any DATA_BACK).
+                    // Error path: is_sustained not available here, use data channel (safe —
+                    // if error occurs before classification, no sustained frames were sent).
                    if !stream_token.is_cancelled() {
                        let close_frame = encode_frame(stream_id, FRAME_CLOSE_BACK, &[]);
                        tokio::select! {
@@ -585,6 +698,96 @@ async fn handle_hub_frame(
        FRAME_PONG => {
            log::debug!("Received PONG from edge {}", edge_id);
        }
+        FRAME_UDP_OPEN => {
+            // Open a UDP session: parse PROXY v2 header, connect upstream, start forwarding
+            let stream_id = frame.stream_id;
+            let dest_port = parse_dest_port_from_proxy_v2(&frame.payload).unwrap_or(53);
+            let target = target_host.to_string();
+            let data_writer_tx = data_tx.clone();
+            let session_token = edge_token.child_token();
+            let edge_id_str = edge_id.to_string();
+
+            // Channel for forwarding datagrams from edge to upstream
+            let (udp_tx, mut udp_rx) = mpsc::channel::<Bytes>(256);
+            udp_sessions.insert(stream_id, HubUdpSessionState {
+                data_tx: udp_tx,
+                cancel_token: session_token.clone(),
+            });
+
+            // Spawn upstream UDP forwarder
+            tokio::spawn(async move {
+                let upstream = match UdpSocket::bind("0.0.0.0:0").await {
+                    Ok(s) => s,
+                    Err(e) => {
+                        log::error!("UDP session {} failed to bind: {}", stream_id, e);
+                        return;
+                    }
+                };
+                if let Err(e) = upstream.connect((target.as_str(), dest_port)).await {
+                    log::error!("UDP session {} failed to connect to {}:{}: {}", stream_id, target, dest_port, e);
+                    return;
+                }
+
+                // Task: upstream -> edge (return datagrams)
+                let upstream_recv = Arc::new(upstream);
+                let upstream_send = upstream_recv.clone();
+                let recv_token = session_token.clone();
+                let recv_handle = tokio::spawn(async move {
+                    let mut buf = vec![0u8; 65536];
+                    loop {
+                        tokio::select! {
+                            result = upstream_recv.recv(&mut buf) => {
+                                match result {
+                                    Ok(len) => {
+                                        let frame = encode_frame(stream_id, FRAME_UDP_DATA_BACK, &buf[..len]);
+                                        if data_writer_tx.try_send(frame).is_err() {
+                                            break;
+                                        }
+                                    }
+                                    Err(e) => {
+                                        log::debug!("UDP session {} upstream recv error: {}", stream_id, e);
+                                        break;
+                                    }
+                                }
+                            }
+                            _ = recv_token.cancelled() => break,
+                        }
+                    }
+                });
+
+                // Forward datagrams from edge to upstream
+                loop {
+                    tokio::select! {
+                        data = udp_rx.recv() => {
+                            match data {
+                                Some(datagram) => {
+                                    if let Err(e) = upstream_send.send(&datagram).await {
+                                        log::debug!("UDP session {} upstream send error: {}", stream_id, e);
+                                        break;
+                                    }
+                                }
+                                None => break,
+                            }
+                        }
+                        _ = session_token.cancelled() => break,
+                    }
+                }
+
+                recv_handle.abort();
+                log::debug!("UDP session {} closed for edge {}", stream_id, edge_id_str);
+            });
+        }
+        FRAME_UDP_DATA => {
+            // Forward datagram to upstream
+            if let Some(state) = udp_sessions.get(&frame.stream_id) {
+                let _ = state.data_tx.try_send(frame.payload);
+            }
+        }
+        FRAME_UDP_CLOSE => {
+            if let Some(state) = udp_sessions.remove(&frame.stream_id) {
+                state.cancel_token.cancel();
+            }
+        }
        _ => {
            log::warn!("Unexpected frame type {} from edge", frame.frame_type);
        }
@@ -641,14 +844,14 @@ async fn handle_edge_connection(
    let secret = parts[2];

    // Verify credentials and extract edge config
-    let (listen_ports, stun_interval_secs) = {
+    let (listen_ports, listen_ports_udp, stun_interval_secs) = {
        let edges = allowed.read().await;
        match edges.get(&edge_id) {
            Some(edge) => {
                if !constant_time_eq(secret.as_bytes(), edge.secret.as_bytes()) {
                    return Err(format!("invalid secret for edge {}", edge_id).into());
                }
-                (edge.listen_ports.clone(), edge.stun_interval_secs.unwrap_or(300))
+                (edge.listen_ports.clone(), edge.listen_ports_udp.clone(), edge.stun_interval_secs.unwrap_or(300))
            }
            None => {
                return Err(format!("unknown edge {}", edge_id).into());
@@ -665,6 +868,7 @@ async fn handle_edge_connection(
    // Send handshake response with initial config before frame protocol begins
    let handshake = HandshakeResponse {
        listen_ports: listen_ports.clone(),
+        listen_ports_udp: listen_ports_udp.clone(),
        stun_interval_secs,
    };
    let mut handshake_json = serde_json::to_string(&handshake)?;
@@ -674,6 +878,7 @@ async fn handle_edge_connection(

    // Track this edge
    let mut streams: HashMap<u32, HubStreamState> = HashMap::new();
+    let mut udp_sessions: HashMap<u32, HubUdpSessionState> = HashMap::new();
    // Per-edge active stream counter for adaptive flow control
    let edge_stream_count = Arc::new(AtomicU32::new(0));
    // Cleanup channel: spawned stream tasks send stream_id here when done
@@ -709,8 +914,9 @@ async fn handle_edge_connection(

    // QoS dual-channel: ctrl frames have priority over data frames.
    // Stream handlers send through these channels -> TunnelIo drains them.
-    let (ctrl_tx, mut ctrl_rx) = mpsc::channel::<Bytes>(256);
+    let (ctrl_tx, mut ctrl_rx) = mpsc::channel::<Bytes>(512);
    let (data_tx, mut data_rx) = mpsc::channel::<Bytes>(4096);
+    let (sustained_tx, mut sustained_rx) = mpsc::channel::<Bytes>(4096);

    // Spawn task to forward config updates as FRAME_CONFIG frames
    let config_writer_tx = ctrl_tx.clone();
@@ -783,8 +989,9 @@ async fn handle_edge_connection(
            last_activity = Instant::now();
            liveness_deadline.as_mut().reset(last_activity + liveness_timeout_dur);
            if let FrameAction::Disconnect(reason) = handle_hub_frame(
-                frame, &mut tunnel_io, &mut streams, &stream_semaphore, &edge_stream_count,
-                &edge_id, &event_tx, &ctrl_tx, &data_tx, &target_host, &edge_token,
+                frame, &mut tunnel_io, &mut streams, &mut udp_sessions,
+                &stream_semaphore, &edge_stream_count,
+                &edge_id, &event_tx, &ctrl_tx, &data_tx, &sustained_tx, &target_host, &edge_token,
                &cleanup_tx,
            ).await {
                disconnect_reason = reason;
@@ -798,7 +1005,7 @@ async fn handle_edge_connection(
            if ping_ticker.poll_tick(cx).is_ready() {
                tunnel_io.queue_ctrl(encode_frame(0, FRAME_PING, &[]));
            }
-            tunnel_io.poll_step(cx, &mut ctrl_rx, &mut data_rx, &mut liveness_deadline, &edge_token)
+            tunnel_io.poll_step(cx, &mut ctrl_rx, &mut data_rx, &mut sustained_rx, &mut liveness_deadline, &edge_token)
        }).await;

        match event {
@@ -806,8 +1013,9 @@ async fn handle_edge_connection(
                last_activity = Instant::now();
                liveness_deadline.as_mut().reset(last_activity + liveness_timeout_dur);
                if let FrameAction::Disconnect(reason) = handle_hub_frame(
-                    frame, &mut tunnel_io, &mut streams, &stream_semaphore, &edge_stream_count,
-                    &edge_id, &event_tx, &ctrl_tx, &data_tx, &target_host, &edge_token,
+                    frame, &mut tunnel_io, &mut streams, &mut udp_sessions,
+                    &stream_semaphore, &edge_stream_count,
+                    &edge_id, &event_tx, &ctrl_tx, &data_tx, &sustained_tx, &target_host, &edge_token,
                    &cleanup_tx,
                ).await {
                    disconnect_reason = reason;
@@ -878,6 +1086,20 @@ fn parse_dest_port_from_proxy(header: &str) -> Option<u16> {
    }
 }

+/// Parse destination port from a PROXY protocol v2 binary header.
+/// The header must be at least 28 bytes (16 fixed + 12 IPv4 address block).
+/// Dest port is at bytes 26-27 (network byte order).
+fn parse_dest_port_from_proxy_v2(header: &[u8]) -> Option<u16> {
+    if header.len() < 28 {
+        return None;
+    }
+    // Verify signature
+    if header[0..12] != remoteingress_protocol::PROXY_V2_SIGNATURE {
+        return None;
+    }
+    Some(u16::from_be_bytes([header[26], header[27]]))
+}
+
 /// Build TLS server config from PEM strings, or auto-generate self-signed.
 fn build_tls_config(
    config: &HubConfig,
@@ -935,6 +1157,364 @@ fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
    diff == 0
 }

+// ===== QUIC transport functions for hub =====
+
+/// Handle an edge connection arriving via QUIC.
+/// The first bidirectional stream is the control stream (auth + config).
+/// Subsequent bidirectional streams are tunneled client connections.
+async fn handle_edge_connection_quic(
+    quic_conn: quinn::Connection,
+    allowed: Arc<RwLock<HashMap<String, AllowedEdge>>>,
+    connected: Arc<Mutex<HashMap<String, ConnectedEdgeInfo>>>,
+    event_tx: mpsc::Sender<HubEvent>,
+    target_host: String,
+    edge_token: CancellationToken,
+    peer_addr: String,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    log::info!("QUIC edge connection from {}", peer_addr);
+
+    // Accept the control stream (first bidirectional stream from edge)
+    let (mut ctrl_send, mut ctrl_recv) = match quic_conn.accept_bi().await {
+        Ok(s) => s,
+        Err(e) => return Err(format!("QUIC control stream accept failed: {}", e).into()),
+    };
+
+    // Read auth line from control stream
+    let mut auth_buf = Vec::with_capacity(512);
+    loop {
+        let mut byte = [0u8; 1];
+        match ctrl_recv.read_exact(&mut byte).await {
+            Ok(()) => {
+                if byte[0] == b'\n' { break; }
+                auth_buf.push(byte[0]);
+                if auth_buf.len() > 4096 {
+                    return Err("QUIC auth line too long".into());
+                }
+            }
+            Err(e) => return Err(format!("QUIC auth read failed: {}", e).into()),
+        }
+    }
+    let auth_line = String::from_utf8(auth_buf)
+        .map_err(|_| "QUIC auth line not valid UTF-8")?;
+    let auth_line = auth_line.trim();
+
+    let parts: Vec<&str> = auth_line.splitn(3, ' ').collect();
+    if parts.len() != 3 || parts[0] != "EDGE" {
+        return Err("invalid QUIC auth line".into());
+    }
+
+    let edge_id = parts[1].to_string();
+    let secret = parts[2];
+
+    // Verify credentials
+    let (listen_ports, listen_ports_udp, stun_interval_secs) = {
+        let edges = allowed.read().await;
+        match edges.get(&edge_id) {
+            Some(edge) => {
+                if !constant_time_eq(secret.as_bytes(), edge.secret.as_bytes()) {
+                    return Err(format!("invalid secret for edge {}", edge_id).into());
+                }
+                (edge.listen_ports.clone(), edge.listen_ports_udp.clone(), edge.stun_interval_secs.unwrap_or(300))
+            }
+            None => return Err(format!("unknown edge {}", edge_id).into()),
+        }
+    };
+
+    log::info!("QUIC edge {} authenticated from {}", edge_id, peer_addr);
+    let _ = event_tx.try_send(HubEvent::EdgeConnected {
+        edge_id: edge_id.clone(),
+        peer_addr: peer_addr.clone(),
+    });
+
+    // Send handshake response on control stream
+    let handshake = HandshakeResponse {
+        listen_ports: listen_ports.clone(),
+        listen_ports_udp: listen_ports_udp.clone(),
+        stun_interval_secs,
+    };
+    let mut handshake_json = serde_json::to_string(&handshake)?;
+    handshake_json.push('\n');
+    ctrl_send.write_all(handshake_json.as_bytes()).await
+        .map_err(|e| format!("QUIC handshake write failed: {}", e))?;
+
+    // Track this edge
+    let edge_stream_count = Arc::new(AtomicU32::new(0));
+    let now = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs();
+
+    let (config_tx, mut config_rx) = mpsc::channel::<EdgeConfigUpdate>(16);
+
+    {
+        let mut edges = connected.lock().await;
+        if let Some(old) = edges.remove(&edge_id) {
+            log::info!("QUIC edge {} reconnected, cancelling old connection", edge_id);
+            old.cancel_token.cancel();
+        }
+        edges.insert(
+            edge_id.clone(),
+            ConnectedEdgeInfo {
+                connected_at: now,
+                peer_addr,
+                edge_stream_count: edge_stream_count.clone(),
+                config_tx,
+                cancel_token: edge_token.clone(),
+            },
+        );
+    }
+
+    let stream_semaphore = Arc::new(Semaphore::new(MAX_STREAMS_PER_EDGE));
+
+    // Spawn task to accept data streams (tunneled client connections)
+    let data_stream_conn = quic_conn.clone();
+    let data_target = target_host.clone();
+    let data_edge_id = edge_id.clone();
+    let data_event_tx = event_tx.clone();
+    let data_semaphore = stream_semaphore.clone();
+    let data_stream_count = edge_stream_count.clone();
+    let data_token = edge_token.clone();
+    let data_handle = tokio::spawn(async move {
+        let mut stream_id_counter: u32 = 0;
+        loop {
+            tokio::select! {
+                bi_result = data_stream_conn.accept_bi() => {
+                    match bi_result {
+                        Ok((quic_send, quic_recv)) => {
+                            // Check stream limit
+                            let permit = match data_semaphore.clone().try_acquire_owned() {
+                                Ok(p) => p,
+                                Err(_) => {
+                                    log::warn!("QUIC edge {} exceeded max streams, rejecting", data_edge_id);
+                                    // Drop the streams to reject
+                                    drop(quic_send);
+                                    drop(quic_recv);
+                                    continue;
+                                }
+                            };
+
+                            stream_id_counter += 1;
+                            let stream_id = stream_id_counter;
+                            let target = data_target.clone();
+                            let edge_id = data_edge_id.clone();
+                            let event_tx = data_event_tx.clone();
+                            let stream_count = data_stream_count.clone();
+                            let stream_token = data_token.child_token();
+
+                            let _ = event_tx.try_send(HubEvent::StreamOpened {
+                                edge_id: edge_id.clone(),
+                                stream_id,
+                            });
+
+                            stream_count.fetch_add(1, Ordering::Relaxed);
+                            tokio::spawn(async move {
+                                let _permit = permit;
+                                handle_quic_stream(
+                                    quic_send, quic_recv, stream_id,
+                                    &target, &edge_id, stream_token,
+                                ).await;
+                                stream_count.fetch_sub(1, Ordering::Relaxed);
+                                let _ = event_tx.try_send(HubEvent::StreamClosed {
+                                    edge_id,
+                                    stream_id,
+                                });
+                            });
+                        }
+                        Err(e) => {
+                            log::info!("QUIC edge {} accept_bi ended: {}", data_edge_id, e);
+                            break;
+                        }
+                    }
+                }
+                _ = data_token.cancelled() => break,
+            }
+        }
+    });
+
+    // Control stream loop: forward config updates and handle PONG
+    let disconnect_reason;
+    loop {
+        tokio::select! {
+            // Send config updates from hub to edge
+            update = config_rx.recv() => {
+                match update {
+                    Some(update) => {
+                        if let Ok(payload) = serde_json::to_vec(&update) {
+                            if let Err(e) = quic_transport::write_ctrl_message(
+                                &mut ctrl_send, quic_transport::CTRL_CONFIG, &payload,
+                            ).await {
+                                log::error!("QUIC config send to edge {} failed: {}", edge_id, e);
+                                disconnect_reason = format!("quic_config_send_failed: {}", e);
+                                break;
+                            }
+                            log::info!("Sent QUIC config update to edge {}: ports {:?}", edge_id, update.listen_ports);
+                        }
+                    }
+                    None => {
+                        disconnect_reason = "config_channel_closed".to_string();
+                        break;
+                    }
+                }
+            }
+            // Read control messages from edge (mainly PONG responses)
+            ctrl_msg = quic_transport::read_ctrl_message(&mut ctrl_recv) => {
+                match ctrl_msg {
+                    Ok(Some((msg_type, _payload))) => {
+                        match msg_type {
+                            quic_transport::CTRL_PONG => {
+                                log::debug!("Received QUIC PONG from edge {}", edge_id);
+                            }
+                            _ => {
+                                log::warn!("Unexpected QUIC control message type {} from edge {}", msg_type, edge_id);
+                            }
+                        }
+                    }
+                    Ok(None) => {
+                        log::info!("QUIC edge {} control stream EOF", edge_id);
+                        disconnect_reason = "quic_ctrl_eof".to_string();
+                        break;
+                    }
+                    Err(e) => {
+                        log::error!("QUIC edge {} control stream error: {}", edge_id, e);
+                        disconnect_reason = format!("quic_ctrl_error: {}", e);
+                        break;
+                    }
+                }
+            }
+            // QUIC connection closed
+            reason = quic_conn.closed() => {
+                log::info!("QUIC connection to edge {} closed: {}", edge_id, reason);
+                disconnect_reason = format!("quic_closed: {}", reason);
+                break;
+            }
+            // Hub-initiated cancellation
+            _ = edge_token.cancelled() => {
+                log::info!("QUIC edge {} cancelled by hub", edge_id);
+                disconnect_reason = "cancelled_by_hub".to_string();
+                break;
+            }
+        }
+    }
+
+    // Cleanup
+    edge_token.cancel();
+    data_handle.abort();
+    quic_conn.close(quinn::VarInt::from_u32(0), b"hub_shutdown");
+
+    {
+        let mut edges = connected.lock().await;
+        edges.remove(&edge_id);
+    }
+    let _ = event_tx.try_send(HubEvent::EdgeDisconnected {
+        edge_id,
+        reason: disconnect_reason,
+    });
+
+    Ok(())
+}
+
+/// Handle a single tunneled client connection arriving via a QUIC bidirectional stream.
+/// Reads the PROXY header, connects to SmartProxy, and pipes data bidirectionally.
+async fn handle_quic_stream(
+    mut quic_send: quinn::SendStream,
+    mut quic_recv: quinn::RecvStream,
+    stream_id: u32,
+    target_host: &str,
+    _edge_id: &str,
+    stream_token: CancellationToken,
+) {
+    // Read PROXY header from the beginning of the stream
+    let proxy_header = match quic_transport::read_proxy_header(&mut quic_recv).await {
+        Ok(h) => h,
+        Err(e) => {
+            log::error!("QUIC stream {} failed to read PROXY header: {}", stream_id, e);
+            return;
+        }
+    };
+
+    let dest_port = parse_dest_port_from_proxy(&proxy_header).unwrap_or(443);
+
+    // Connect to SmartProxy
+    let mut upstream = match tokio::time::timeout(
+        Duration::from_secs(10),
+        TcpStream::connect((target_host, dest_port)),
+    ).await {
+        Ok(Ok(s)) => s,
+        Ok(Err(e)) => {
+            log::error!("QUIC stream {} connect to {}:{} failed: {}", stream_id, target_host, dest_port, e);
+            return;
+        }
+        Err(_) => {
+            log::error!("QUIC stream {} connect to {}:{} timed out", stream_id, target_host, dest_port);
+            return;
+        }
+    };
+
+    let _ = upstream.set_nodelay(true);
+    // Send PROXY header to SmartProxy
+    if let Err(e) = upstream.write_all(proxy_header.as_bytes()).await {
+        log::error!("QUIC stream {} failed to write PROXY header to upstream: {}", stream_id, e);
+        return;
+    }
+
+    let (mut up_read, mut up_write) = upstream.into_split();
+
+    // Task: QUIC -> upstream (edge data to SmartProxy)
+    let writer_token = stream_token.clone();
+    let writer_task = tokio::spawn(async move {
+        let mut buf = vec![0u8; 32768];
+        loop {
+            tokio::select! {
+                read_result = quic_recv.read(&mut buf) => {
+                    match read_result {
+                        Ok(Some(n)) => {
+                            let write_result = tokio::select! {
+                                r = tokio::time::timeout(
+                                    Duration::from_secs(60),
+                                    up_write.write_all(&buf[..n]),
+                                ) => r,
+                                _ = writer_token.cancelled() => break,
+                            };
+                            match write_result {
+                                Ok(Ok(())) => {}
+                                Ok(Err(_)) => break,
+                                Err(_) => break,
+                            }
+                        }
+                        Ok(None) => break, // QUIC stream finished
+                        Err(_) => break,
+                    }
+                }
+                _ = writer_token.cancelled() => break,
+            }
+        }
+        let _ = up_write.shutdown().await;
+    });
+
+    // Task: upstream -> QUIC (SmartProxy data to edge)
+    let mut buf = vec![0u8; 32768];
+    loop {
+        tokio::select! {
+            read_result = up_read.read(&mut buf) => {
+                match read_result {
+                    Ok(0) => break,
+                    Ok(n) => {
+                        if quic_send.write_all(&buf[..n]).await.is_err() {
+                            break;
+                        }
+                    }
+                    Err(_) => break,
+                }
+            }
+            _ = stream_token.cancelled() => break,
+        }
+    }
+
+    // Gracefully close the QUIC send stream
+    let _ = quic_send.finish();
+    writer_task.abort();
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -1040,6 +1620,7 @@ mod tests {
    fn test_handshake_response_serializes_camel_case() {
        let resp = HandshakeResponse {
            listen_ports: vec![443, 8080],
+            listen_ports_udp: vec![],
            stun_interval_secs: 300,
        };
        let json = serde_json::to_value(&resp).unwrap();
@@ -1054,9 +1635,11 @@ mod tests {
    fn test_edge_config_update_serializes_camel_case() {
        let update = EdgeConfigUpdate {
            listen_ports: vec![80, 443],
+            listen_ports_udp: vec![53],
        };
        let json = serde_json::to_value(&update).unwrap();
        assert_eq!(json["listenPorts"], serde_json::json!([80, 443]));
+        assert_eq!(json["listenPortsUdp"], serde_json::json!([53]));
        assert!(json.get("listen_ports").is_none());
    }

--- a/rust/crates/remoteingress-core/src/lib.rs
+++ b/rust/crates/remoteingress-core/src/lib.rs
@@ -1,5 +1,7 @@
 pub mod hub;
 pub mod edge;
 pub mod stun;
+pub mod transport;
+pub mod udp_session;

 pub use remoteingress_protocol as protocol;
--- a/rust/crates/remoteingress-core/src/transport/mod.rs
+++ b/rust/crates/remoteingress-core/src/transport/mod.rs
@@ -0,0 +1,22 @@
+pub mod quic;
+
+use serde::{Deserialize, Serialize};
+
+/// Transport mode for the tunnel connection between edge and hub.
+///
+/// - `TcpTls`: TCP + TLS with frame-based multiplexing via TunnelIo (default).
+/// - `Quic`: QUIC with native stream multiplexing (one QUIC stream per tunneled connection).
+/// - `QuicWithFallback`: Try QUIC first, fall back to TCP+TLS if UDP is blocked.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub enum TransportMode {
+    TcpTls,
+    Quic,
+    QuicWithFallback,
+}
+
+impl Default for TransportMode {
+    fn default() -> Self {
+        TransportMode::TcpTls
+    }
+}
--- a/rust/crates/remoteingress-core/src/transport/quic.rs
+++ b/rust/crates/remoteingress-core/src/transport/quic.rs
@@ -0,0 +1,191 @@
+use std::sync::Arc;
+
+/// QUIC control stream message types (reuses frame type constants for consistency).
+pub const CTRL_CONFIG: u8 = 0x06;
+pub const CTRL_PING: u8 = 0x07;
+pub const CTRL_PONG: u8 = 0x08;
+
+/// Header size for control stream messages: [type:1][length:4] = 5 bytes.
+pub const CTRL_HEADER_SIZE: usize = 5;
+
+/// Build a quinn ClientConfig that skips server certificate verification
+/// (auth is via shared secret, same as the TCP+TLS path).
+pub fn build_quic_client_config() -> quinn::ClientConfig {
+    let mut tls_config = rustls::ClientConfig::builder()
+        .dangerous()
+        .with_custom_certificate_verifier(Arc::new(NoCertVerifier))
+        .with_no_client_auth();
+
+    // QUIC mandates ALPN negotiation (RFC 9001 §8.1).
+    // Must match the server's ALPN protocol.
+    tls_config.alpn_protocols = vec![b"remoteingress".to_vec()];
+
+    let quic_config = quinn::crypto::rustls::QuicClientConfig::try_from(tls_config)
+        .expect("failed to build QUIC client config from rustls config");
+
+    let mut transport = quinn::TransportConfig::default();
+    transport.keep_alive_interval(Some(std::time::Duration::from_secs(15)));
+    transport.max_idle_timeout(Some(
+        quinn::IdleTimeout::try_from(std::time::Duration::from_secs(45)).unwrap(),
+    ));
+    // Match MAX_STREAMS_PER_EDGE (1024) from hub.rs.
+    // Default is 100 which is too low for high-concurrency tunneling.
+    transport.max_concurrent_bidi_streams(1024u32.into());
+
+    let mut client_config = quinn::ClientConfig::new(Arc::new(quic_config));
+    client_config.transport_config(Arc::new(transport));
+    client_config
+}
+
+/// Build a quinn ServerConfig from the same TLS server config used for TCP+TLS.
+pub fn build_quic_server_config(
+    tls_server_config: rustls::ServerConfig,
+) -> Result<quinn::ServerConfig, Box<dyn std::error::Error + Send + Sync>> {
+    let quic_config = quinn::crypto::rustls::QuicServerConfig::try_from(tls_server_config)?;
+
+    let mut transport = quinn::TransportConfig::default();
+    transport.keep_alive_interval(Some(std::time::Duration::from_secs(15)));
+    transport.max_idle_timeout(Some(
+        quinn::IdleTimeout::try_from(std::time::Duration::from_secs(45)).unwrap(),
+    ));
+    transport.max_concurrent_bidi_streams(1024u32.into());
+
+    let mut server_config = quinn::ServerConfig::with_crypto(Arc::new(quic_config));
+    server_config.transport_config(Arc::new(transport));
+    Ok(server_config)
+}
+
+/// Write a control message to a QUIC send stream.
+/// Format: [type:1][length:4][payload:N]
+pub async fn write_ctrl_message(
+    send: &mut quinn::SendStream,
+    msg_type: u8,
+    payload: &[u8],
+) -> Result<(), std::io::Error> {
+    let len = payload.len() as u32;
+    let mut header = [0u8; CTRL_HEADER_SIZE];
+    header[0] = msg_type;
+    header[1..5].copy_from_slice(&len.to_be_bytes());
+    send.write_all(&header).await?;
+    if !payload.is_empty() {
+        send.write_all(payload).await?;
+    }
+    Ok(())
+}
+
+/// Read a control message from a QUIC recv stream.
+/// Returns (msg_type, payload). Returns None on EOF.
+pub async fn read_ctrl_message(
+    recv: &mut quinn::RecvStream,
+) -> Result<Option<(u8, Vec<u8>)>, std::io::Error> {
+    let mut header = [0u8; CTRL_HEADER_SIZE];
+    match recv.read_exact(&mut header).await {
+        Ok(()) => {}
+        Err(e) => {
+            if let quinn::ReadExactError::FinishedEarly(_) = e {
+                return Ok(None);
+            }
+            return Err(std::io::Error::new(std::io::ErrorKind::Other, e));
+        }
+    }
+    let msg_type = header[0];
+    let len = u32::from_be_bytes([header[1], header[2], header[3], header[4]]) as usize;
+    let mut payload = vec![0u8; len];
+    if len > 0 {
+        recv.read_exact(&mut payload).await.map_err(|e| {
+            std::io::Error::new(std::io::ErrorKind::Other, e)
+        })?;
+    }
+    Ok(Some((msg_type, payload)))
+}
+
+/// Write the PROXY v1 header as the first bytes on a QUIC data stream.
+/// The header is length-prefixed so the receiver knows where it ends and data begins.
+/// Format: [header_len:4][proxy_header:N]
+pub async fn write_proxy_header(
+    send: &mut quinn::SendStream,
+    proxy_header: &str,
+) -> Result<(), std::io::Error> {
+    let header_bytes = proxy_header.as_bytes();
+    let len = header_bytes.len() as u32;
+    send.write_all(&len.to_be_bytes()).await?;
+    send.write_all(header_bytes).await?;
+    Ok(())
+}
+
+/// Read the PROXY v1 header from the first bytes of a QUIC data stream.
+/// Returns the header string.
+pub async fn read_proxy_header(
+    recv: &mut quinn::RecvStream,
+) -> Result<String, std::io::Error> {
+    let mut len_buf = [0u8; 4];
+    recv.read_exact(&mut len_buf).await.map_err(|e| {
+        std::io::Error::new(std::io::ErrorKind::Other, e)
+    })?;
+    let len = u32::from_be_bytes(len_buf) as usize;
+    if len > 8192 {
+        return Err(std::io::Error::new(
+            std::io::ErrorKind::InvalidData,
+            "proxy header too long",
+        ));
+    }
+    let mut header = vec![0u8; len];
+    recv.read_exact(&mut header).await.map_err(|e| {
+        std::io::Error::new(std::io::ErrorKind::Other, e)
+    })?;
+    String::from_utf8(header).map_err(|_| {
+        std::io::Error::new(std::io::ErrorKind::InvalidData, "proxy header not UTF-8")
+    })
+}
+
+/// TLS certificate verifier that accepts any certificate (auth is via shared secret).
+/// Same as the one in edge.rs but placed here so the QUIC module is self-contained.
+#[derive(Debug)]
+struct NoCertVerifier;
+
+impl rustls::client::danger::ServerCertVerifier for NoCertVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &rustls::pki_types::CertificateDer<'_>,
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+        _server_name: &rustls::pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: rustls::pki_types::UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        vec![
+            rustls::SignatureScheme::RSA_PKCS1_SHA256,
+            rustls::SignatureScheme::RSA_PKCS1_SHA384,
+            rustls::SignatureScheme::RSA_PKCS1_SHA512,
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
+            rustls::SignatureScheme::ECDSA_NISTP521_SHA512,
+            rustls::SignatureScheme::RSA_PSS_SHA256,
+            rustls::SignatureScheme::RSA_PSS_SHA384,
+            rustls::SignatureScheme::RSA_PSS_SHA512,
+            rustls::SignatureScheme::ED25519,
+            rustls::SignatureScheme::ED448,
+        ]
+    }
+}
--- a/rust/crates/remoteingress-core/src/udp_session.rs
+++ b/rust/crates/remoteingress-core/src/udp_session.rs
@@ -0,0 +1,210 @@
+use std::collections::HashMap;
+use std::net::SocketAddr;
+use tokio::time::Instant;
+
+/// Key identifying a unique UDP "session" (one client endpoint talking to one destination port).
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub struct UdpSessionKey {
+    pub client_addr: SocketAddr,
+    pub dest_port: u16,
+}
+
+/// A single UDP session tracked by the edge.
+pub struct UdpSession {
+    pub stream_id: u32,
+    pub client_addr: SocketAddr,
+    pub dest_port: u16,
+    pub last_activity: Instant,
+}
+
+/// Manages UDP sessions with idle timeout expiry.
+pub struct UdpSessionManager {
+    /// Forward map: session key → session data.
+    sessions: HashMap<UdpSessionKey, UdpSession>,
+    /// Reverse map: stream_id → session key (for dispatching return traffic).
+    by_stream_id: HashMap<u32, UdpSessionKey>,
+    /// Idle timeout duration.
+    idle_timeout: std::time::Duration,
+}
+
+impl UdpSessionManager {
+    pub fn new(idle_timeout: std::time::Duration) -> Self {
+        Self {
+            sessions: HashMap::new(),
+            by_stream_id: HashMap::new(),
+            idle_timeout,
+        }
+    }
+
+    /// Look up an existing session by key. Updates last_activity on hit.
+    pub fn get_mut(&mut self, key: &UdpSessionKey) -> Option<&mut UdpSession> {
+        let session = self.sessions.get_mut(key)?;
+        session.last_activity = Instant::now();
+        Some(session)
+    }
+
+    /// Look up a session's client address by stream_id (for return traffic).
+    pub fn client_addr_for_stream(&self, stream_id: u32) -> Option<SocketAddr> {
+        let key = self.by_stream_id.get(&stream_id)?;
+        self.sessions.get(key).map(|s| s.client_addr)
+    }
+
+    /// Look up a session by stream_id. Updates last_activity on hit.
+    pub fn get_by_stream_id(&mut self, stream_id: u32) -> Option<&mut UdpSession> {
+        let key = self.by_stream_id.get(&stream_id)?;
+        let session = self.sessions.get_mut(key)?;
+        session.last_activity = Instant::now();
+        Some(session)
+    }
+
+    /// Insert a new session. Returns a mutable reference to it.
+    pub fn insert(&mut self, key: UdpSessionKey, stream_id: u32) -> &mut UdpSession {
+        let session = UdpSession {
+            stream_id,
+            client_addr: key.client_addr,
+            dest_port: key.dest_port,
+            last_activity: Instant::now(),
+        };
+        self.by_stream_id.insert(stream_id, key);
+        self.sessions.entry(key).or_insert(session)
+    }
+
+    /// Remove a session by stream_id.
+    pub fn remove_by_stream_id(&mut self, stream_id: u32) -> Option<UdpSession> {
+        if let Some(key) = self.by_stream_id.remove(&stream_id) {
+            self.sessions.remove(&key)
+        } else {
+            None
+        }
+    }
+
+    /// Expire idle sessions. Returns the stream_ids of expired sessions.
+    pub fn expire_idle(&mut self) -> Vec<u32> {
+        let now = Instant::now();
+        let timeout = self.idle_timeout;
+        let expired_keys: Vec<UdpSessionKey> = self
+            .sessions
+            .iter()
+            .filter(|(_, s)| now.duration_since(s.last_activity) >= timeout)
+            .map(|(k, _)| *k)
+            .collect();
+
+        let mut expired_ids = Vec::with_capacity(expired_keys.len());
+        for key in expired_keys {
+            if let Some(session) = self.sessions.remove(&key) {
+                self.by_stream_id.remove(&session.stream_id);
+                expired_ids.push(session.stream_id);
+            }
+        }
+        expired_ids
+    }
+
+    /// Number of active sessions.
+    pub fn len(&self) -> usize {
+        self.sessions.len()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::time::Duration;
+
+    fn addr(port: u16) -> SocketAddr {
+        SocketAddr::from(([127, 0, 0, 1], port))
+    }
+
+    #[test]
+    fn test_insert_and_lookup() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 1);
+
+        assert_eq!(mgr.len(), 1);
+        assert!(mgr.get_mut(&key).is_some());
+        assert_eq!(mgr.get_mut(&key).unwrap().stream_id, 1);
+    }
+
+    #[test]
+    fn test_client_addr_for_stream() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 42);
+
+        assert_eq!(mgr.client_addr_for_stream(42), Some(addr(5000)));
+        assert_eq!(mgr.client_addr_for_stream(99), None);
+    }
+
+    #[test]
+    fn test_remove_by_stream_id() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 1);
+
+        let removed = mgr.remove_by_stream_id(1);
+        assert!(removed.is_some());
+        assert_eq!(mgr.len(), 0);
+        assert!(mgr.get_mut(&key).is_none());
+        assert_eq!(mgr.client_addr_for_stream(1), None);
+    }
+
+    #[test]
+    fn test_remove_nonexistent() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        assert!(mgr.remove_by_stream_id(999).is_none());
+    }
+
+    #[tokio::test]
+    async fn test_expire_idle() {
+        let mut mgr = UdpSessionManager::new(Duration::from_millis(50));
+        let key1 = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        let key2 = UdpSessionKey { client_addr: addr(5001), dest_port: 53 };
+        mgr.insert(key1, 1);
+        mgr.insert(key2, 2);
+
+        // Nothing expired yet
+        assert!(mgr.expire_idle().is_empty());
+        assert_eq!(mgr.len(), 2);
+
+        // Wait for timeout
+        tokio::time::sleep(Duration::from_millis(60)).await;
+
+        let expired = mgr.expire_idle();
+        assert_eq!(expired.len(), 2);
+        assert_eq!(mgr.len(), 0);
+    }
+
+    #[tokio::test]
+    async fn test_activity_prevents_expiry() {
+        let mut mgr = UdpSessionManager::new(Duration::from_millis(100));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 1);
+
+        // Touch session at 50ms (before 100ms timeout)
+        tokio::time::sleep(Duration::from_millis(50)).await;
+        mgr.get_mut(&key); // refreshes last_activity
+
+        // At 80ms from last touch, should still be alive
+        tokio::time::sleep(Duration::from_millis(80)).await;
+        assert!(mgr.expire_idle().is_empty());
+        assert_eq!(mgr.len(), 1);
+
+        // Wait for full timeout from last activity
+        tokio::time::sleep(Duration::from_millis(30)).await;
+        let expired = mgr.expire_idle();
+        assert_eq!(expired.len(), 1);
+    }
+
+    #[test]
+    fn test_multiple_sessions_same_client_different_ports() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key1 = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        let key2 = UdpSessionKey { client_addr: addr(5000), dest_port: 443 };
+        mgr.insert(key1, 1);
+        mgr.insert(key2, 2);
+
+        assert_eq!(mgr.len(), 2);
+        assert_eq!(mgr.get_mut(&key1).unwrap().stream_id, 1);
+        assert_eq!(mgr.get_mut(&key2).unwrap().stream_id, 2);
+    }
+}
--- a/rust/crates/remoteingress-protocol/src/lib.rs
+++ b/rust/crates/remoteingress-protocol/src/lib.rs
@@ -2,8 +2,10 @@ use std::collections::VecDeque;
 use std::future::Future;
 use std::pin::Pin;
 use std::task::{Context, Poll};
-use bytes::{Bytes, BytesMut};
+use std::time::Duration;
+use bytes::{Bytes, BytesMut, BufMut};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, ReadBuf};
+use tokio::time::Instant;

 // Frame type constants
 pub const FRAME_OPEN: u8 = 0x01;
@@ -17,6 +19,12 @@ pub const FRAME_PONG: u8 = 0x08;       // Edge -> Hub: heartbeat response
 pub const FRAME_WINDOW_UPDATE: u8 = 0x09;      // Edge -> Hub: per-stream flow control
 pub const FRAME_WINDOW_UPDATE_BACK: u8 = 0x0A;  // Hub -> Edge: per-stream flow control

+// UDP tunnel frame types
+pub const FRAME_UDP_OPEN: u8 = 0x0B;            // Edge -> Hub: open UDP session (payload: PROXY v2 header)
+pub const FRAME_UDP_DATA: u8 = 0x0C;            // Edge -> Hub: UDP datagram
+pub const FRAME_UDP_DATA_BACK: u8 = 0x0D;       // Hub -> Edge: UDP datagram
+pub const FRAME_UDP_CLOSE: u8 = 0x0E;           // Either direction: close UDP session
+
 // Frame header size: 4 (stream_id) + 1 (type) + 4 (length) = 9 bytes
 pub const FRAME_HEADER_SIZE: usize = 9;

@@ -24,13 +32,22 @@ pub const FRAME_HEADER_SIZE: usize = 9;
 pub const MAX_PAYLOAD_SIZE: u32 = 16 * 1024 * 1024;

 // Per-stream flow control constants
-/// Initial per-stream window size (4 MB). Sized for full throughput at high RTT:
-/// at 100ms RTT, this sustains ~40 MB/s per stream.
+/// Initial (and maximum) per-stream window size (4 MB).
 pub const INITIAL_STREAM_WINDOW: u32 = 4 * 1024 * 1024;
 /// Send WINDOW_UPDATE after consuming this many bytes (half the initial window).
 pub const WINDOW_UPDATE_THRESHOLD: u32 = INITIAL_STREAM_WINDOW / 2;
 /// Maximum window size to prevent overflow.
-pub const MAX_WINDOW_SIZE: u32 = 16 * 1024 * 1024;
+pub const MAX_WINDOW_SIZE: u32 = 4 * 1024 * 1024;
+
+// Sustained stream classification constants
+/// Throughput threshold for sustained classification (2.5 MB/s = 20 Mbit/s).
+pub const SUSTAINED_THRESHOLD_BPS: u64 = 2_500_000;
+/// Minimum duration before a stream can be classified as sustained.
+pub const SUSTAINED_MIN_DURATION_SECS: u64 = 10;
+/// Fixed window for sustained streams (1 MB — the floor).
+pub const SUSTAINED_WINDOW: u32 = 1 * 1024 * 1024;
+/// Maximum bytes written from sustained queue per forced drain (1 MB/s guarantee).
+pub const SUSTAINED_FORCED_DRAIN_CAP: usize = 1_048_576;

 /// Encode a WINDOW_UPDATE frame for a specific stream.
 pub fn encode_window_update(stream_id: u32, frame_type: u8, increment: u32) -> Bytes {
@@ -38,36 +55,11 @@ pub fn encode_window_update(stream_id: u32, frame_type: u8, increment: u32) -> B
 }

 /// Compute the target per-stream window size based on the number of active streams.
-/// Total memory budget is ~32MB shared across all streams. As more streams are active,
-/// each gets a smaller window. This adapts to current demand — few streams get high
-/// throughput, many streams save memory and reduce control frame pressure.
+/// Total memory budget is ~200MB shared across all streams. Up to 50 streams get the
+/// full 4MB window; above that the window scales down to a 1MB floor at 200+ streams.
 pub fn compute_window_for_stream_count(active: u32) -> u32 {
-    let per_stream = (32 * 1024 * 1024u64) / (active.max(1) as u64);
-    per_stream.clamp(64 * 1024, INITIAL_STREAM_WINDOW as u64) as u32
-}
-
-/// Proactively clamp a send_window AtomicU32 down to at most `target`.
-/// CAS loop so concurrent WINDOW_UPDATE additions are not lost.
-/// Returns the value after clamping.
-#[inline]
-pub fn clamp_send_window(
-    send_window: &std::sync::atomic::AtomicU32,
-    target: u32,
-) -> u32 {
-    loop {
-        let current = send_window.load(std::sync::atomic::Ordering::Acquire);
-        if current <= target {
-            return current;
-        }
-        match send_window.compare_exchange_weak(
-            current, target,
-            std::sync::atomic::Ordering::AcqRel,
-            std::sync::atomic::Ordering::Relaxed,
-        ) {
-            Ok(_) => return target,
-            Err(_) => continue,
-        }
-    }
+    let per_stream = (200 * 1024 * 1024u64) / (active.max(1) as u64);
+    per_stream.clamp(1 * 1024 * 1024, INITIAL_STREAM_WINDOW as u64) as u32
 }

 /// Decode a WINDOW_UPDATE payload into a byte increment. Returns None if payload is malformed.
@@ -89,12 +81,12 @@ pub struct Frame {
 /// Encode a frame into bytes: [stream_id:4][type:1][length:4][payload]
 pub fn encode_frame(stream_id: u32, frame_type: u8, payload: &[u8]) -> Bytes {
    let len = payload.len() as u32;
-    let mut buf = Vec::with_capacity(FRAME_HEADER_SIZE + payload.len());
-    buf.extend_from_slice(&stream_id.to_be_bytes());
-    buf.push(frame_type);
-    buf.extend_from_slice(&len.to_be_bytes());
-    buf.extend_from_slice(payload);
-    Bytes::from(buf)
+    let mut buf = BytesMut::with_capacity(FRAME_HEADER_SIZE + payload.len());
+    buf.put_slice(&stream_id.to_be_bytes());
+    buf.put_u8(frame_type);
+    buf.put_slice(&len.to_be_bytes());
+    buf.put_slice(payload);
+    buf.freeze()
 }

 /// Write a frame header into `buf[0..FRAME_HEADER_SIZE]`.
@@ -121,6 +113,76 @@ pub fn build_proxy_v1_header(
    )
 }

+/// PROXY protocol v2 signature (12 bytes).
+pub const PROXY_V2_SIGNATURE: [u8; 12] = [
+    0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A,
+];
+
+/// Transport protocol for PROXY v2 header.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum ProxyV2Transport {
+    /// TCP (STREAM) — byte 13 low nibble = 0x1
+    Tcp,
+    /// UDP (DGRAM) — byte 13 low nibble = 0x2
+    Udp,
+}
+
+/// Build a PROXY protocol v2 binary header for IPv4.
+///
+/// Returns a 28-byte header:
+/// - 12B signature
+/// - 1B version (0x2) + command (0x1 = PROXY)
+/// - 1B address family (0x1 = AF_INET) + transport (0x1 = TCP, 0x2 = UDP)
+/// - 2B address block length (0x000C = 12)
+/// - 4B source IPv4 address
+/// - 4B destination IPv4 address
+/// - 2B source port
+/// - 2B destination port
+pub fn build_proxy_v2_header(
+    src_ip: &std::net::Ipv4Addr,
+    dst_ip: &std::net::Ipv4Addr,
+    src_port: u16,
+    dst_port: u16,
+    transport: ProxyV2Transport,
+) -> Bytes {
+    let mut buf = BytesMut::with_capacity(28);
+    // Signature (12 bytes)
+    buf.put_slice(&PROXY_V2_SIGNATURE);
+    // Version 2 + PROXY command
+    buf.put_u8(0x21);
+    // AF_INET (0x1) + transport
+    let transport_nibble = match transport {
+        ProxyV2Transport::Tcp => 0x1,
+        ProxyV2Transport::Udp => 0x2,
+    };
+    buf.put_u8(0x10 | transport_nibble);
+    // Address block length: 12 bytes for IPv4
+    buf.put_u16(12);
+    // Source address (4 bytes, network byte order)
+    buf.put_slice(&src_ip.octets());
+    // Destination address (4 bytes, network byte order)
+    buf.put_slice(&dst_ip.octets());
+    // Source port (2 bytes, network byte order)
+    buf.put_u16(src_port);
+    // Destination port (2 bytes, network byte order)
+    buf.put_u16(dst_port);
+    buf.freeze()
+}
+
+/// Build a PROXY protocol v2 binary header from string IP addresses.
+/// Falls back to 0.0.0.0 if parsing fails.
+pub fn build_proxy_v2_header_from_str(
+    src_ip: &str,
+    dst_ip: &str,
+    src_port: u16,
+    dst_port: u16,
+    transport: ProxyV2Transport,
+) -> Bytes {
+    let src: std::net::Ipv4Addr = src_ip.parse().unwrap_or(std::net::Ipv4Addr::UNSPECIFIED);
+    let dst: std::net::Ipv4Addr = dst_ip.parse().unwrap_or(std::net::Ipv4Addr::UNSPECIFIED);
+    build_proxy_v2_header(&src, &dst, src_port, dst_port, transport)
+}
+
 /// Stateful async frame reader that yields `Frame` values from an `AsyncRead`.
 pub struct FrameReader<R> {
    reader: R,
@@ -169,7 +231,7 @@ impl<R: AsyncRead + Unpin> FrameReader<R> {
            ));
        }

-        let mut payload = vec![0u8; length as usize];
+        let mut payload = BytesMut::zeroed(length as usize);
        if length > 0 {
            self.reader.read_exact(&mut payload).await?;
        }
@@ -177,7 +239,7 @@ impl<R: AsyncRead + Unpin> FrameReader<R> {
        Ok(Some(Frame {
            stream_id,
            frame_type,
-            payload: Bytes::from(payload),
+            payload: payload.freeze(),
        }))
    }

@@ -211,46 +273,60 @@ pub enum TunnelEvent {
 /// Write state extracted into a sub-struct so the borrow checker can see
 /// disjoint field access between `self.write` and `self.stream`.
 struct WriteState {
-    ctrl_queue: VecDeque<Bytes>,   // PONG, WINDOW_UPDATE, CLOSE, OPEN — always first
-    data_queue: VecDeque<Bytes>,   // DATA, DATA_BACK — only when ctrl is empty
-    offset: usize,                 // progress within current frame being written
+    ctrl_queue: VecDeque<Bytes>,      // PONG, WINDOW_UPDATE, CLOSE, OPEN — always first
+    data_queue: VecDeque<Bytes>,      // DATA, DATA_BACK — only when ctrl is empty
+    sustained_queue: VecDeque<Bytes>, // DATA, DATA_BACK from sustained streams — lowest priority
+    offset: usize,                    // progress within current frame being written
    flush_needed: bool,
+    // Sustained starvation prevention: guaranteed 1 MB/s drain
+    sustained_last_drain: Instant,
+    sustained_bytes_this_period: usize,
 }

 impl WriteState {
    fn has_work(&self) -> bool {
-        !self.ctrl_queue.is_empty() || !self.data_queue.is_empty()
+        !self.ctrl_queue.is_empty() || !self.data_queue.is_empty() || !self.sustained_queue.is_empty()
    }
 }

 /// Single-owner I/O engine for the tunnel TLS connection.
 ///
 /// Owns the TLS stream directly — no `tokio::io::split()`, no mutex.
-/// Uses two priority write queues: ctrl frames (PONG, WINDOW_UPDATE, CLOSE, OPEN)
-/// are ALWAYS written before data frames (DATA, DATA_BACK). This prevents
-/// WINDOW_UPDATE starvation that causes flow control deadlocks.
+/// Uses three priority write queues:
+///   1. ctrl  (PONG, WINDOW_UPDATE, CLOSE, OPEN) — always first
+///   2. data  (DATA, DATA_BACK from normal streams) — when ctrl empty
+///   3. sustained (DATA, DATA_BACK from sustained streams) — lowest priority,
+///      drained freely when ctrl+data empty, or forced 1MB/s when they're not
 pub struct TunnelIo<S> {
    stream: S,
-    // Read state: BytesMut accumulates bytes; split_to extracts frames zero-copy.
-    read_buf: BytesMut,
+    // Read state: accumulate bytes, parse frames incrementally
+    read_buf: Vec<u8>,
+    read_pos: usize,
+    parse_pos: usize,
    // Write state: extracted sub-struct for safe disjoint borrows
    write: WriteState,
 }

 impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
    pub fn new(stream: S, initial_data: Vec<u8>) -> Self {
-        let mut read_buf = BytesMut::from(&initial_data[..]);
+        let read_pos = initial_data.len();
+        let mut read_buf = initial_data;
        if read_buf.capacity() < 65536 {
            read_buf.reserve(65536 - read_buf.len());
        }
        Self {
            stream,
            read_buf,
+            read_pos,
+            parse_pos: 0,
            write: WriteState {
                ctrl_queue: VecDeque::new(),
                data_queue: VecDeque::new(),
+                sustained_queue: VecDeque::new(),
                offset: 0,
                flush_needed: false,
+                sustained_last_drain: Instant::now(),
+                sustained_bytes_this_period: 0,
            },
        }
    }
@@ -265,30 +341,37 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
        self.write.data_queue.push_back(frame);
    }

+    /// Queue a lowest-priority sustained data frame.
+    pub fn queue_sustained(&mut self, frame: Bytes) {
+        self.write.sustained_queue.push_back(frame);
+    }
+
    /// Try to parse a complete frame from the read buffer.
-    /// Zero-copy: uses BytesMut::split_to to extract frames without allocating.
+    /// Uses a parse_pos cursor to avoid drain() on every frame.
    pub fn try_parse_frame(&mut self) -> Option<Result<Frame, std::io::Error>> {
-        if self.read_buf.len() < FRAME_HEADER_SIZE {
+        let available = self.read_pos - self.parse_pos;
+        if available < FRAME_HEADER_SIZE {
            return None;
        }

+        let base = self.parse_pos;
        let stream_id = u32::from_be_bytes([
-            self.read_buf[0], self.read_buf[1],
-            self.read_buf[2], self.read_buf[3],
+            self.read_buf[base], self.read_buf[base + 1],
+            self.read_buf[base + 2], self.read_buf[base + 3],
        ]);
-        let frame_type = self.read_buf[4];
+        let frame_type = self.read_buf[base + 4];
        let length = u32::from_be_bytes([
-            self.read_buf[5], self.read_buf[6],
-            self.read_buf[7], self.read_buf[8],
+            self.read_buf[base + 5], self.read_buf[base + 6],
+            self.read_buf[base + 7], self.read_buf[base + 8],
        ]);

        if length > MAX_PAYLOAD_SIZE {
            let header = [
-                self.read_buf[0], self.read_buf[1],
-                self.read_buf[2], self.read_buf[3],
-                self.read_buf[4], self.read_buf[5],
-                self.read_buf[6], self.read_buf[7],
-                self.read_buf[8],
+                self.read_buf[base], self.read_buf[base + 1],
+                self.read_buf[base + 2], self.read_buf[base + 3],
+                self.read_buf[base + 4], self.read_buf[base + 5],
+                self.read_buf[base + 6], self.read_buf[base + 7],
+                self.read_buf[base + 8],
            ];
            log::error!(
                "CORRUPT FRAME HEADER: raw={:02x?} stream_id={} type=0x{:02x} length={}",
@@ -301,48 +384,63 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
        }

        let total_frame_size = FRAME_HEADER_SIZE + length as usize;
-        if self.read_buf.len() < total_frame_size {
+        if available < total_frame_size {
            return None;
        }

-        // Zero-copy extraction: split the frame off the read buffer (O(1) pointer adjustment).
-        // split_to removes the first total_frame_size bytes from read_buf.
-        let mut frame_data = self.read_buf.split_to(total_frame_size);
-        // Split off header, keep only payload. freeze() converts BytesMut → Bytes (O(1)).
-        let payload = frame_data.split_off(FRAME_HEADER_SIZE).freeze();
+        let payload = Bytes::copy_from_slice(
+            &self.read_buf[base + FRAME_HEADER_SIZE..base + total_frame_size],
+        );
+        self.parse_pos += total_frame_size;
+
+        // Compact when parse_pos > half the data to reclaim memory
+        if self.parse_pos > self.read_pos / 2 && self.parse_pos > 0 {
+            self.read_buf.drain(..self.parse_pos);
+            self.read_pos -= self.parse_pos;
+            self.parse_pos = 0;
+        }

        Some(Ok(Frame { stream_id, frame_type, payload }))
    }

    /// Poll-based I/O step. Returns Ready on events, Pending when idle.
    ///
-    /// Order: write(ctrl→data) → flush → read → channels → timers
+    /// Order: write(ctrl->data->sustained) -> flush -> read -> channels -> timers
    pub fn poll_step(
        &mut self,
        cx: &mut Context<'_>,
        ctrl_rx: &mut tokio::sync::mpsc::Receiver<Bytes>,
        data_rx: &mut tokio::sync::mpsc::Receiver<Bytes>,
+        sustained_rx: &mut tokio::sync::mpsc::Receiver<Bytes>,
        liveness_deadline: &mut Pin<Box<tokio::time::Sleep>>,
        cancel_token: &tokio_util::sync::CancellationToken,
    ) -> Poll<TunnelEvent> {
-        // 1. WRITE: drain ctrl queue first, then data queue.
+        // 1. WRITE: 3-tier priority — ctrl first, then data, then sustained.
+        //    Sustained drains freely when ctrl+data are empty.
        //    Write one frame, set flush_needed, then flush must complete before
        //    writing more. This prevents unbounded TLS session buffer growth.
        //    Safe: `self.write` and `self.stream` are disjoint fields.
        let mut writes = 0;
        while self.write.has_work() && writes < 16 && !self.write.flush_needed {
-            let from_ctrl = !self.write.ctrl_queue.is_empty();
-            let frame = if from_ctrl {
-                self.write.ctrl_queue.front().unwrap()
+            // Pick queue: ctrl > data > sustained
+            let queue_id = if !self.write.ctrl_queue.is_empty() {
+                0 // ctrl
+            } else if !self.write.data_queue.is_empty() {
+                1 // data
            } else {
-                self.write.data_queue.front().unwrap()
+                2 // sustained
+            };
+            let frame = match queue_id {
+                0 => self.write.ctrl_queue.front().unwrap(),
+                1 => self.write.data_queue.front().unwrap(),
+                _ => self.write.sustained_queue.front().unwrap(),
            };
            let remaining = &frame[self.write.offset..];

            match Pin::new(&mut self.stream).poll_write(cx, remaining) {
                Poll::Ready(Ok(0)) => {
-                    log::error!("TunnelIo: poll_write returned 0 (write zero), ctrl_q={} data_q={}",
-                        self.write.ctrl_queue.len(), self.write.data_queue.len());
+                    log::error!("TunnelIo: poll_write returned 0 (write zero), ctrl_q={} data_q={} sustained_q={}",
+                        self.write.ctrl_queue.len(), self.write.data_queue.len(), self.write.sustained_queue.len());
                    return Poll::Ready(TunnelEvent::WriteError(
                        std::io::Error::new(std::io::ErrorKind::WriteZero, "write zero"),
                    ));
@@ -351,21 +449,70 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
                    self.write.offset += n;
                    self.write.flush_needed = true;
                    if self.write.offset >= frame.len() {
-                        if from_ctrl { self.write.ctrl_queue.pop_front(); }
-                        else { self.write.data_queue.pop_front(); }
+                        match queue_id {
+                            0 => { self.write.ctrl_queue.pop_front(); }
+                            1 => { self.write.data_queue.pop_front(); }
+                            _ => {
+                                self.write.sustained_queue.pop_front();
+                                self.write.sustained_last_drain = Instant::now();
+                                self.write.sustained_bytes_this_period = 0;
+                            }
+                        }
                        self.write.offset = 0;
                        writes += 1;
                    }
                }
                Poll::Ready(Err(e)) => {
-                    log::error!("TunnelIo: poll_write error: {} (ctrl_q={} data_q={})",
-                        e, self.write.ctrl_queue.len(), self.write.data_queue.len());
+                    log::error!("TunnelIo: poll_write error: {} (ctrl_q={} data_q={} sustained_q={})",
+                        e, self.write.ctrl_queue.len(), self.write.data_queue.len(), self.write.sustained_queue.len());
                    return Poll::Ready(TunnelEvent::WriteError(e));
                }
                Poll::Pending => break,
            }
        }

+        // 1b. FORCED SUSTAINED DRAIN: when ctrl/data have work but sustained is waiting,
+        //     guarantee at least 1 MB/s by draining up to SUSTAINED_FORCED_DRAIN_CAP
+        //     once per second.
+        if !self.write.sustained_queue.is_empty()
+            && (!self.write.ctrl_queue.is_empty() || !self.write.data_queue.is_empty())
+            && !self.write.flush_needed
+        {
+            let now = Instant::now();
+            if now.duration_since(self.write.sustained_last_drain) >= Duration::from_secs(1) {
+                self.write.sustained_bytes_this_period = 0;
+                self.write.sustained_last_drain = now;
+
+                while !self.write.sustained_queue.is_empty()
+                    && self.write.sustained_bytes_this_period < SUSTAINED_FORCED_DRAIN_CAP
+                    && !self.write.flush_needed
+                {
+                    let frame = self.write.sustained_queue.front().unwrap();
+                    let remaining = &frame[self.write.offset..];
+                    match Pin::new(&mut self.stream).poll_write(cx, remaining) {
+                        Poll::Ready(Ok(0)) => {
+                            return Poll::Ready(TunnelEvent::WriteError(
+                                std::io::Error::new(std::io::ErrorKind::WriteZero, "write zero"),
+                            ));
+                        }
+                        Poll::Ready(Ok(n)) => {
+                            self.write.offset += n;
+                            self.write.flush_needed = true;
+                            self.write.sustained_bytes_this_period += n;
+                            if self.write.offset >= frame.len() {
+                                self.write.sustained_queue.pop_front();
+                                self.write.offset = 0;
+                            }
+                        }
+                        Poll::Ready(Err(e)) => {
+                            return Poll::Ready(TunnelEvent::WriteError(e));
+                        }
+                        Poll::Pending => break,
+                    }
+                }
+            }
+        }
+
        // 2. FLUSH: push encrypted data from TLS session to TCP.
        if self.write.flush_needed {
            match Pin::new(&mut self.stream).poll_flush(cx) {
@@ -385,18 +532,23 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
        //    the waker without re-registering it, causing the task to sleep until a
        //    timer or channel wakes it (potentially 15+ seconds of lost reads).
        loop {
-            // Ensure at least 32KB of writable space
-            let len_before = self.read_buf.len();
-            self.read_buf.resize(len_before + 32768, 0);
-            let mut rbuf = ReadBuf::new(&mut self.read_buf[len_before..]);
+            // Compact if needed to make room for reads
+            if self.parse_pos > 0 && self.read_buf.len() - self.read_pos < 32768 {
+                self.read_buf.drain(..self.parse_pos);
+                self.read_pos -= self.parse_pos;
+                self.parse_pos = 0;
+            }
+            if self.read_buf.len() < self.read_pos + 32768 {
+                self.read_buf.resize(self.read_pos + 32768, 0);
+            }
+            let mut rbuf = ReadBuf::new(&mut self.read_buf[self.read_pos..]);
            match Pin::new(&mut self.stream).poll_read(cx, &mut rbuf) {
                Poll::Ready(Ok(())) => {
                    let n = rbuf.filled().len();
-                    // Trim back to actual data length
-                    self.read_buf.truncate(len_before + n);
                    if n == 0 {
                        return Poll::Ready(TunnelEvent::Eof);
                    }
+                    self.read_pos += n;
                    if let Some(result) = self.try_parse_frame() {
                        return match result {
                            Ok(frame) => Poll::Ready(TunnelEvent::Frame(frame)),
@@ -407,14 +559,10 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
                    // waker is re-registered when it finally returns Pending.
                }
                Poll::Ready(Err(e)) => {
-                    self.read_buf.truncate(len_before);
                    log::error!("TunnelIo: poll_read error: {}", e);
                    return Poll::Ready(TunnelEvent::ReadError(e));
                }
-                Poll::Pending => {
-                    self.read_buf.truncate(len_before);
-                    break;
-                }
+                Poll::Pending => break,
            }
        }

@@ -422,7 +570,7 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
        //    Ctrl frames must never be delayed — always drain fully.
        //    Data frames are gated: keep data in the bounded channel for proper
        //    backpressure when TLS writes are slow. Without this gate, the internal
-        //    data_queue (unbounded VecDeque) grows to hundreds of MB under throttle → OOM.
+        //    data_queue (unbounded VecDeque) grows to hundreds of MB under throttle -> OOM.
        let mut got_new = false;
        loop {
            match ctrl_rx.poll_recv(cx) {
@@ -448,6 +596,16 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
                }
            }
        }
+        // Sustained channel: drain when sustained_queue is small (same backpressure pattern).
+        // Channel close is non-fatal — not all connections have sustained streams.
+        if self.write.sustained_queue.len() < 64 {
+            loop {
+                match sustained_rx.poll_recv(cx) {
+                    Poll::Ready(Some(frame)) => { self.write.sustained_queue.push_back(frame); got_new = true; }
+                    Poll::Ready(None) | Poll::Pending => break,
+                }
+            }
+        }

        // 5. TIMERS
        if liveness_deadline.as_mut().poll(cx).is_ready() {
@@ -484,14 +642,14 @@ mod tests {
        let mut buf = vec![0u8; FRAME_HEADER_SIZE + payload.len()];
        buf[FRAME_HEADER_SIZE..].copy_from_slice(payload);
        encode_frame_header(&mut buf, 42, FRAME_DATA, payload.len());
-        assert_eq!(buf[..], encode_frame(42, FRAME_DATA, payload)[..]);
+        assert_eq!(buf, &encode_frame(42, FRAME_DATA, payload)[..]);
    }

    #[test]
    fn test_encode_frame_header_empty_payload() {
        let mut buf = vec![0u8; FRAME_HEADER_SIZE];
        encode_frame_header(&mut buf, 99, FRAME_CLOSE, 0);
-        assert_eq!(buf[..], encode_frame(99, FRAME_CLOSE, &[])[..]);
+        assert_eq!(buf, &encode_frame(99, FRAME_CLOSE, &[])[..]);
    }

    #[test]
@@ -522,6 +680,62 @@ mod tests {
        assert_eq!(header, "PROXY TCP4 1.2.3.4 5.6.7.8 12345 443\r\n");
    }

+    #[test]
+    fn test_proxy_v2_header_tcp4() {
+        let src = "198.51.100.10".parse().unwrap();
+        let dst = "203.0.113.25".parse().unwrap();
+        let header = build_proxy_v2_header(&src, &dst, 54321, 8443, ProxyV2Transport::Tcp);
+        assert_eq!(header.len(), 28);
+        // Signature
+        assert_eq!(&header[0..12], &PROXY_V2_SIGNATURE);
+        // Version 2 + PROXY command
+        assert_eq!(header[12], 0x21);
+        // AF_INET + STREAM (TCP)
+        assert_eq!(header[13], 0x11);
+        // Address length = 12
+        assert_eq!(u16::from_be_bytes([header[14], header[15]]), 12);
+        // Source IP: 198.51.100.10
+        assert_eq!(&header[16..20], &[198, 51, 100, 10]);
+        // Dest IP: 203.0.113.25
+        assert_eq!(&header[20..24], &[203, 0, 113, 25]);
+        // Source port: 54321
+        assert_eq!(u16::from_be_bytes([header[24], header[25]]), 54321);
+        // Dest port: 8443
+        assert_eq!(u16::from_be_bytes([header[26], header[27]]), 8443);
+    }
+
+    #[test]
+    fn test_proxy_v2_header_udp4() {
+        let src = "10.0.0.1".parse().unwrap();
+        let dst = "10.0.0.2".parse().unwrap();
+        let header = build_proxy_v2_header(&src, &dst, 12345, 53, ProxyV2Transport::Udp);
+        assert_eq!(header.len(), 28);
+        assert_eq!(header[12], 0x21); // v2, PROXY
+        assert_eq!(header[13], 0x12); // AF_INET + DGRAM (UDP)
+        assert_eq!(&header[16..20], &[10, 0, 0, 1]); // src
+        assert_eq!(&header[20..24], &[10, 0, 0, 2]); // dst
+        assert_eq!(u16::from_be_bytes([header[24], header[25]]), 12345);
+        assert_eq!(u16::from_be_bytes([header[26], header[27]]), 53);
+    }
+
+    #[test]
+    fn test_proxy_v2_header_from_str() {
+        let header = build_proxy_v2_header_from_str("1.2.3.4", "5.6.7.8", 1000, 443, ProxyV2Transport::Tcp);
+        assert_eq!(header.len(), 28);
+        assert_eq!(&header[16..20], &[1, 2, 3, 4]);
+        assert_eq!(&header[20..24], &[5, 6, 7, 8]);
+    }
+
+    #[test]
+    fn test_proxy_v2_header_from_str_invalid_ip() {
+        let header = build_proxy_v2_header_from_str("not-an-ip", "also-not", 1000, 443, ProxyV2Transport::Udp);
+        assert_eq!(header.len(), 28);
+        // Falls back to 0.0.0.0
+        assert_eq!(&header[16..20], &[0, 0, 0, 0]);
+        assert_eq!(&header[20..24], &[0, 0, 0, 0]);
+        assert_eq!(header[13], 0x12); // UDP
+    }
+
    #[tokio::test]
    async fn test_frame_reader() {
        let frame1 = encode_frame(1, FRAME_OPEN, b"PROXY TCP4 1.2.3.4 5.6.7.8 1234 443\r\n");
@@ -696,90 +910,57 @@ mod tests {

    #[test]
    fn test_adaptive_window_zero_streams() {
-        // 0 streams treated as 1: 32MB/1 = 32MB → clamped to 4MB max
+        // 0 streams treated as 1: 200MB/1 -> clamped to 4MB max
        assert_eq!(compute_window_for_stream_count(0), INITIAL_STREAM_WINDOW);
    }

    #[test]
    fn test_adaptive_window_one_stream() {
-        // 32MB/1 = 32MB → clamped to 4MB max
        assert_eq!(compute_window_for_stream_count(1), INITIAL_STREAM_WINDOW);
    }

    #[test]
-    fn test_adaptive_window_at_max_boundary() {
-        // 32MB/8 = 4MB = exactly INITIAL_STREAM_WINDOW
-        assert_eq!(compute_window_for_stream_count(8), INITIAL_STREAM_WINDOW);
+    fn test_adaptive_window_50_streams_full() {
+        // 200MB/50 = 4MB = exactly INITIAL_STREAM_WINDOW
+        assert_eq!(compute_window_for_stream_count(50), INITIAL_STREAM_WINDOW);
    }

    #[test]
-    fn test_adaptive_window_just_below_max() {
-        // 32MB/9 = 3,728,270 — first value below INITIAL_STREAM_WINDOW
-        let w = compute_window_for_stream_count(9);
+    fn test_adaptive_window_51_streams_starts_scaling() {
+        // 200MB/51 < 4MB — first value below max
+        let w = compute_window_for_stream_count(51);
        assert!(w < INITIAL_STREAM_WINDOW);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 9) as u32);
-    }
-
-    #[test]
-    fn test_adaptive_window_16_streams() {
-        // 32MB/16 = 2MB
-        assert_eq!(compute_window_for_stream_count(16), 2 * 1024 * 1024);
+        assert_eq!(w, (200 * 1024 * 1024u64 / 51) as u32);
    }

    #[test]
    fn test_adaptive_window_100_streams() {
-        // 32MB/100 = 335,544 bytes (~327KB)
-        let w = compute_window_for_stream_count(100);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 100) as u32);
-        assert!(w > 64 * 1024); // above floor
-        assert!(w < INITIAL_STREAM_WINDOW as u32); // below ceiling
+        // 200MB/100 = 2MB
+        assert_eq!(compute_window_for_stream_count(100), 2 * 1024 * 1024);
    }

    #[test]
-    fn test_adaptive_window_200_streams() {
-        // 32MB/200 = 167,772 bytes (~163KB), above 64KB floor
-        let w = compute_window_for_stream_count(200);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 200) as u32);
-        assert!(w > 64 * 1024);
+    fn test_adaptive_window_200_streams_at_floor() {
+        // 200MB/200 = 1MB = exactly the floor
+        assert_eq!(compute_window_for_stream_count(200), 1 * 1024 * 1024);
    }

    #[test]
-    fn test_adaptive_window_500_streams() {
-        // 32MB/500 = 67,108 bytes (~65.5KB), just above 64KB floor
-        let w = compute_window_for_stream_count(500);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 500) as u32);
-        assert!(w > 64 * 1024);
-    }
-
-    #[test]
-    fn test_adaptive_window_at_min_boundary() {
-        // 32MB/512 = 65,536 = exactly 64KB floor
-        assert_eq!(compute_window_for_stream_count(512), 64 * 1024);
-    }
-
-    #[test]
-    fn test_adaptive_window_below_min_clamped() {
-        // 32MB/513 = 65,408 → clamped up to 64KB
-        assert_eq!(compute_window_for_stream_count(513), 64 * 1024);
-    }
-
-    #[test]
-    fn test_adaptive_window_1000_streams() {
-        // 32MB/1000 = 33,554 → clamped to 64KB
-        assert_eq!(compute_window_for_stream_count(1000), 64 * 1024);
+    fn test_adaptive_window_500_streams_clamped() {
+        // 200MB/500 = 0.4MB -> clamped up to 1MB floor
+        assert_eq!(compute_window_for_stream_count(500), 1 * 1024 * 1024);
    }

    #[test]
    fn test_adaptive_window_max_u32() {
-        // Extreme: u32::MAX streams → tiny value → clamped to 64KB
-        assert_eq!(compute_window_for_stream_count(u32::MAX), 64 * 1024);
+        // Extreme: u32::MAX streams -> tiny value -> clamped to 1MB
+        assert_eq!(compute_window_for_stream_count(u32::MAX), 1 * 1024 * 1024);
    }

    #[test]
    fn test_adaptive_window_monotonically_decreasing() {
-        // Window should decrease (or stay same) as stream count increases
        let mut prev = compute_window_for_stream_count(1);
-        for n in [2, 5, 10, 50, 100, 200, 500, 512, 1000] {
+        for n in [2, 10, 50, 51, 100, 200, 500, 1000] {
            let w = compute_window_for_stream_count(n);
            assert!(w <= prev, "window increased from {} to {} at n={}", prev, w, n);
            prev = w;
@@ -788,47 +969,14 @@ mod tests {

    #[test]
    fn test_adaptive_window_total_budget_bounded() {
-        // active × per_stream_window should never exceed 32MB (+ clamp overhead for high N)
-        for n in [1, 10, 50, 100, 200, 500] {
+        // active x per_stream_window should never exceed 200MB (+ clamp overhead for high N)
+        for n in [1, 10, 50, 100, 200] {
            let w = compute_window_for_stream_count(n);
            let total = w as u64 * n as u64;
-            assert!(total <= 32 * 1024 * 1024, "total {}MB exceeds budget at n={}", total / (1024*1024), n);
+            assert!(total <= 200 * 1024 * 1024, "total {}MB exceeds budget at n={}", total / (1024*1024), n);
        }
    }

-    // --- clamp_send_window tests ---
-
-    #[test]
-    fn test_clamp_send_window_reduces_above_target() {
-        let w = std::sync::atomic::AtomicU32::new(4 * 1024 * 1024); // 4 MB
-        let result = clamp_send_window(&w, 512 * 1024); // target 512 KB
-        assert_eq!(result, 512 * 1024);
-        assert_eq!(w.load(std::sync::atomic::Ordering::Relaxed), 512 * 1024);
-    }
-
-    #[test]
-    fn test_clamp_send_window_noop_below_target() {
-        let w = std::sync::atomic::AtomicU32::new(256 * 1024); // 256 KB
-        let result = clamp_send_window(&w, 512 * 1024); // target 512 KB
-        assert_eq!(result, 256 * 1024);
-        assert_eq!(w.load(std::sync::atomic::Ordering::Relaxed), 256 * 1024);
-    }
-
-    #[test]
-    fn test_clamp_send_window_noop_at_target() {
-        let w = std::sync::atomic::AtomicU32::new(512 * 1024);
-        let result = clamp_send_window(&w, 512 * 1024);
-        assert_eq!(result, 512 * 1024);
-        assert_eq!(w.load(std::sync::atomic::Ordering::Relaxed), 512 * 1024);
-    }
-
-    #[test]
-    fn test_clamp_send_window_zero_value() {
-        let w = std::sync::atomic::AtomicU32::new(0);
-        let result = clamp_send_window(&w, 64 * 1024);
-        assert_eq!(result, 0);
-    }
-
    // --- encode/decode window_update roundtrip ---

    #[test]
--- a/test/test.flowcontrol.node.ts
+++ b/test/test.flowcontrol.node.ts
@@ -324,7 +324,7 @@ tap.test('setup: start echo server and tunnel', async () => {
  expect(tunnel.hub.running).toBeTrue();
 });

-tap.test('single stream: 32MB transfer exceeding initial 4MB window', async () => {
+tap.test('single stream: 32MB transfer exceeding initial 4MB window (multiple refills)', async () => {
  const size = 32 * 1024 * 1024;
  const data = crypto.randomBytes(size);
  const expectedHash = sha256(data);
@@ -392,7 +392,7 @@ tap.test('asymmetric transfer: 4KB request -> 4MB response', async () => {
  }
 });

-tap.test('100 streams x 1MB each (100MB total exceeding 32MB budget)', async () => {
+tap.test('100 streams x 1MB each (100MB total exceeding 200MB budget)', async () => {
  const streamCount = 100;
  const payloadSize = 1 * 1024 * 1024;

@@ -446,7 +446,7 @@ tap.test('active stream counter tracks concurrent connections', async () => {
 });

 tap.test('50 streams x 2MB each (forces multiple window refills per stream)', async () => {
-  // At 50 concurrent streams: adaptive window = 32MB/50 = 655KB per stream
+  // At 50 concurrent streams: adaptive window = 200MB/50 = 4MB per stream
  // Each stream sends 2MB → needs ~3 WINDOW_UPDATE refill cycles per stream
  const streamCount = 50;
  const payloadSize = 2 * 1024 * 1024;
--- a/test/test.quic.node.ts
+++ b/test/test.quic.node.ts
@@ -0,0 +1,283 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import * as net from 'net';
+import * as crypto from 'crypto';
+import { RemoteIngressHub, RemoteIngressEdge } from '../ts/index.js';
+
+// ---------------------------------------------------------------------------
+// Helpers (same patterns as test.flowcontrol.node.ts)
+// ---------------------------------------------------------------------------
+
+async function findFreePorts(count: number): Promise<number[]> {
+  const servers: net.Server[] = [];
+  const ports: number[] = [];
+  for (let i = 0; i < count; i++) {
+    const server = net.createServer();
+    await new Promise<void>((resolve) => server.listen(0, '127.0.0.1', resolve));
+    ports.push((server.address() as net.AddressInfo).port);
+    servers.push(server);
+  }
+  await Promise.all(servers.map((s) => new Promise<void>((resolve) => s.close(() => resolve()))));
+  return ports;
+}
+
+type TrackingServer = net.Server & { destroyAll: () => void };
+
+function startEchoServer(port: number, host: string): Promise<TrackingServer> {
+  return new Promise((resolve, reject) => {
+    const connections = new Set<net.Socket>();
+    const server = net.createServer((socket) => {
+      connections.add(socket);
+      socket.on('close', () => connections.delete(socket));
+      let proxyHeaderParsed = false;
+      let pendingBuf = Buffer.alloc(0);
+      socket.on('data', (data: Buffer) => {
+        if (!proxyHeaderParsed) {
+          pendingBuf = Buffer.concat([pendingBuf, data]);
+          const idx = pendingBuf.indexOf('\r\n');
+          if (idx !== -1) {
+            proxyHeaderParsed = true;
+            const remainder = pendingBuf.subarray(idx + 2);
+            if (remainder.length > 0) socket.write(remainder);
+          }
+          return;
+        }
+        socket.write(data);
+      });
+      socket.on('error', () => {});
+    }) as TrackingServer;
+    server.destroyAll = () => {
+      for (const conn of connections) conn.destroy();
+      connections.clear();
+    };
+    server.on('error', reject);
+    server.listen(port, host, () => resolve(server));
+  });
+}
+
+async function forceCloseServer(server: TrackingServer): Promise<void> {
+  server.destroyAll();
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+}
+
+interface TestTunnel {
+  hub: RemoteIngressHub;
+  edge: RemoteIngressEdge;
+  edgePort: number;
+  cleanup: () => Promise<void>;
+}
+
+/**
+ * Start a full hub + edge tunnel using QUIC transport.
+ * Edge binds to 127.0.0.1, upstream server binds to 127.0.0.2.
+ */
+async function startQuicTunnel(edgePort: number, hubPort: number): Promise<TestTunnel> {
+  const hub = new RemoteIngressHub();
+  const edge = new RemoteIngressEdge();
+
+  await hub.start({
+    tunnelPort: hubPort,
+    targetHost: '127.0.0.2',
+  });
+
+  await hub.updateAllowedEdges([
+    { id: 'test-edge', secret: 'test-secret', listenPorts: [edgePort] },
+  ]);
+
+  const connectedPromise = new Promise<void>((resolve, reject) => {
+    const timeout = setTimeout(() => reject(new Error('QUIC edge did not connect within 10s')), 10000);
+    edge.once('tunnelConnected', () => {
+      clearTimeout(timeout);
+      resolve();
+    });
+  });
+
+  await edge.start({
+    hubHost: '127.0.0.1',
+    hubPort,
+    edgeId: 'test-edge',
+    secret: 'test-secret',
+    bindAddress: '127.0.0.1',
+    transportMode: 'quic',
+  });
+
+  await connectedPromise;
+  await new Promise((resolve) => setTimeout(resolve, 500));
+
+  return {
+    hub,
+    edge,
+    edgePort,
+    cleanup: async () => {
+      await edge.stop();
+      await hub.stop();
+    },
+  };
+}
+
+function sendAndReceive(port: number, data: Buffer, timeoutMs = 30000): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    let totalReceived = 0;
+    const expectedLength = data.length;
+    let settled = false;
+
+    const client = net.createConnection({ host: '127.0.0.1', port }, () => {
+      client.write(data);
+      client.end();
+    });
+
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        client.destroy();
+        reject(new Error(`Timeout after ${timeoutMs}ms — received ${totalReceived}/${expectedLength} bytes`));
+      }
+    }, timeoutMs);
+
+    client.on('data', (chunk: Buffer) => {
+      chunks.push(chunk);
+      totalReceived += chunk.length;
+      if (totalReceived >= expectedLength && !settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.destroy();
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('end', () => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('error', (err) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        reject(err);
+      }
+    });
+  });
+}
+
+function sha256(buf: Buffer): string {
+  return crypto.createHash('sha256').update(buf).digest('hex');
+}
+
+// ---------------------------------------------------------------------------
+// QUIC Transport E2E Tests
+// ---------------------------------------------------------------------------
+
+let tunnel: TestTunnel;
+let echoServer: TrackingServer;
+let hubPort: number;
+let edgePort: number;
+
+tap.test('QUIC setup: start echo server and QUIC tunnel', async () => {
+  [hubPort, edgePort] = await findFreePorts(2);
+
+  echoServer = await startEchoServer(edgePort, '127.0.0.2');
+  tunnel = await startQuicTunnel(edgePort, hubPort);
+
+  expect(tunnel.hub.running).toBeTrue();
+  const status = await tunnel.edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('QUIC: single stream echo — 1KB', async () => {
+  const data = crypto.randomBytes(1024);
+  const hash = sha256(data);
+  const received = await sendAndReceive(edgePort, data, 10000);
+  expect(received.length).toEqual(1024);
+  expect(sha256(received)).toEqual(hash);
+});
+
+tap.test('QUIC: single stream echo — 1MB', async () => {
+  const size = 1024 * 1024;
+  const data = crypto.randomBytes(size);
+  const hash = sha256(data);
+  const received = await sendAndReceive(edgePort, data, 30000);
+  expect(received.length).toEqual(size);
+  expect(sha256(received)).toEqual(hash);
+});
+
+tap.test('QUIC: single stream echo — 16MB', async () => {
+  const size = 16 * 1024 * 1024;
+  const data = crypto.randomBytes(size);
+  const hash = sha256(data);
+  const received = await sendAndReceive(edgePort, data, 60000);
+  expect(received.length).toEqual(size);
+  expect(sha256(received)).toEqual(hash);
+});
+
+tap.test('QUIC: 10 concurrent streams x 1MB each', async () => {
+  const streamCount = 10;
+  const payloadSize = 1024 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 30000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('QUIC: 50 concurrent streams x 64KB each', async () => {
+  const streamCount = 50;
+  const payloadSize = 64 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 30000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('QUIC: 200 concurrent streams x 16KB each', async () => {
+  const streamCount = 200;
+  const payloadSize = 16 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 60000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('QUIC: tunnel still connected after all tests', async () => {
+  const status = await tunnel.edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('QUIC teardown: stop tunnel and echo server', async () => {
+  await tunnel.cleanup();
+  await forceCloseServer(echoServer);
+});
+
+export default tap.start();
--- a/test/test.udp.node.ts
+++ b/test/test.udp.node.ts
@@ -0,0 +1,193 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import * as dgram from 'dgram';
+import * as net from 'net';
+import * as crypto from 'crypto';
+import { RemoteIngressHub, RemoteIngressEdge } from '../ts/index.js';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+async function findFreePorts(count: number): Promise<number[]> {
+  const servers: net.Server[] = [];
+  const ports: number[] = [];
+  for (let i = 0; i < count; i++) {
+    const server = net.createServer();
+    await new Promise<void>((resolve) => server.listen(0, '127.0.0.1', resolve));
+    ports.push((server.address() as net.AddressInfo).port);
+    servers.push(server);
+  }
+  await Promise.all(servers.map((s) => new Promise<void>((resolve) => s.close(() => resolve()))));
+  return ports;
+}
+
+/**
+ * Start a UDP echo server that:
+ * 1. Receives the first datagram (PROXY v2 header — 28 bytes) and discards it
+ * 2. Echoes all subsequent datagrams back to the sender
+ */
+function startUdpEchoServer(port: number, host: string): Promise<dgram.Socket> {
+  return new Promise((resolve, reject) => {
+    const server = dgram.createSocket('udp4');
+    let proxyHeaderReceived = false;
+
+    server.on('message', (msg, rinfo) => {
+      if (!proxyHeaderReceived) {
+        // First datagram is the PROXY v2 header (28 bytes for IPv4)
+        // In the current implementation, the hub connects directly via UDP
+        // so the first real datagram is the actual data (no PROXY header yet)
+        // For now, just echo everything back
+        proxyHeaderReceived = true;
+      }
+      // Echo back
+      server.send(msg, rinfo.port, rinfo.address);
+    });
+
+    server.on('error', reject);
+    server.bind(port, host, () => resolve(server));
+  });
+}
+
+/**
+ * Send a UDP datagram through the tunnel and wait for the echo response.
+ */
+function udpSendAndReceive(
+  port: number,
+  data: Buffer,
+  timeoutMs = 10000,
+): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const client = dgram.createSocket('udp4');
+    let settled = false;
+
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        client.close();
+        reject(new Error(`UDP timeout after ${timeoutMs}ms`));
+      }
+    }, timeoutMs);
+
+    client.on('message', (msg) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.close();
+        resolve(msg);
+      }
+    });
+
+    client.on('error', (err) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.close();
+        reject(err);
+      }
+    });
+
+    client.send(data, port, '127.0.0.1');
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Test state
+// ---------------------------------------------------------------------------
+
+let hub: RemoteIngressHub;
+let edge: RemoteIngressEdge;
+let echoServer: dgram.Socket;
+let hubPort: number;
+let edgeUdpPort: number;
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+tap.test('UDP setup: start echo server and tunnel with UDP ports', async () => {
+  [hubPort, edgeUdpPort] = await findFreePorts(2);
+
+  // Start UDP echo server on upstream (127.0.0.2)
+  echoServer = await startUdpEchoServer(edgeUdpPort, '127.0.0.2');
+
+  hub = new RemoteIngressHub();
+  edge = new RemoteIngressEdge();
+
+  await hub.start({ tunnelPort: hubPort, targetHost: '127.0.0.2' });
+  await hub.updateAllowedEdges([
+    { id: 'test-edge', secret: 'test-secret', listenPorts: [], listenPortsUdp: [edgeUdpPort] },
+  ]);
+
+  const connectedPromise = new Promise<void>((resolve, reject) => {
+    const timeout = setTimeout(() => reject(new Error('Edge did not connect within 10s')), 10000);
+    edge.once('tunnelConnected', () => {
+      clearTimeout(timeout);
+      resolve();
+    });
+  });
+
+  await edge.start({
+    hubHost: '127.0.0.1',
+    hubPort,
+    edgeId: 'test-edge',
+    secret: 'test-secret',
+    bindAddress: '127.0.0.1',
+  });
+
+  await connectedPromise;
+  // Wait for UDP listener to bind
+  await new Promise((resolve) => setTimeout(resolve, 500));
+
+  const status = await edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('UDP: single datagram echo — 64 bytes', async () => {
+  const data = crypto.randomBytes(64);
+  const received = await udpSendAndReceive(edgeUdpPort, data, 5000);
+  expect(received.length).toEqual(64);
+  expect(Buffer.compare(received, data)).toEqual(0);
+});
+
+tap.test('UDP: single datagram echo — 1KB', async () => {
+  const data = crypto.randomBytes(1024);
+  const received = await udpSendAndReceive(edgeUdpPort, data, 5000);
+  expect(received.length).toEqual(1024);
+  expect(Buffer.compare(received, data)).toEqual(0);
+});
+
+tap.test('UDP: 10 sequential datagrams', async () => {
+  for (let i = 0; i < 10; i++) {
+    const data = crypto.randomBytes(128);
+    const received = await udpSendAndReceive(edgeUdpPort, data, 5000);
+    expect(received.length).toEqual(128);
+    expect(Buffer.compare(received, data)).toEqual(0);
+  }
+});
+
+tap.test('UDP: 10 concurrent datagrams from different source ports', async () => {
+  const promises = Array.from({ length: 10 }, () => {
+    const data = crypto.randomBytes(256);
+    return udpSendAndReceive(edgeUdpPort, data, 5000).then((received) => ({
+      sizeOk: received.length === 256,
+      dataOk: Buffer.compare(received, data) === 0,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || !r.dataOk);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('UDP: tunnel still connected after tests', async () => {
+  const status = await edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('UDP teardown: stop tunnel and echo server', async () => {
+  await edge.stop();
+  await hub.stop();
+  await new Promise<void>((resolve) => echoServer.close(() => resolve()));
+});
+
+export default tap.start();
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/remoteingress',
-  version: '4.8.14',
+  version: '4.11.0',
  description: 'Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.'
 }
--- a/ts/classes.remoteingressedge.ts
+++ b/ts/classes.remoteingressedge.ts
@@ -15,6 +15,7 @@ type TEdgeCommands = {
      edgeId: string;
      secret: string;
      bindAddress?: string;
+      transportMode?: 'tcpTls' | 'quic' | 'quicWithFallback';
    };
    result: { started: boolean };
  };
@@ -40,6 +41,7 @@ export interface IEdgeConfig {
  edgeId: string;
  secret: string;
  bindAddress?: string;
+  transportMode?: 'tcpTls' | 'quic' | 'quicWithFallback';
 }

 const MAX_RESTART_ATTEMPTS = 10;
@@ -137,6 +139,7 @@ export class RemoteIngressEdge extends EventEmitter {
      edgeId: edgeConfig.edgeId,
      secret: edgeConfig.secret,
      ...(edgeConfig.bindAddress ? { bindAddress: edgeConfig.bindAddress } : {}),
+      ...(edgeConfig.transportMode ? { transportMode: edgeConfig.transportMode } : {}),
    });

    this.started = true;
@@ -233,6 +236,7 @@ export class RemoteIngressEdge extends EventEmitter {
        edgeId: this.savedConfig.edgeId,
        secret: this.savedConfig.secret,
        ...(this.savedConfig.bindAddress ? { bindAddress: this.savedConfig.bindAddress } : {}),
+        ...(this.savedConfig.transportMode ? { transportMode: this.savedConfig.transportMode } : {}),
      });

      this.started = true;
--- a/ts/classes.remoteingresshub.ts
+++ b/ts/classes.remoteingresshub.ts
@@ -22,7 +22,7 @@ type THubCommands = {
  };
  updateAllowedEdges: {
    params: {
-      edges: Array<{ id: string; secret: string; listenPorts?: number[]; stunIntervalSecs?: number }>;
+      edges: Array<{ id: string; secret: string; listenPorts?: number[]; listenPortsUdp?: number[]; stunIntervalSecs?: number }>;
    };
    result: { updated: boolean };
  };
@@ -50,7 +50,7 @@ export interface IHubConfig {
  };
 }

-type TAllowedEdge = { id: string; secret: string; listenPorts?: number[]; stunIntervalSecs?: number };
+type TAllowedEdge = { id: string; secret: string; listenPorts?: number[]; listenPortsUdp?: number[]; stunIntervalSecs?: number };

 const MAX_RESTART_ATTEMPTS = 10;
 const MAX_RESTART_BACKOFF_MS = 30_000;
Author	SHA1	Message	Date
Juergen Kunz	bfa88f8d76	v4.11.0 Some checks failed Default (tags) / security (push) Failing after 0s Details Default (tags) / test (push) Failing after 0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-19 12:02:41 +00:00
Juergen Kunz	a96b4ba84a	feat(remoteingress-core): add UDP tunneling support between edge and hub	2026-03-19 12:02:41 +00:00
Juergen Kunz	61fa69f108	v4.10.0 Some checks failed Default (tags) / security (push) Failing after 1s Details Default (tags) / test (push) Failing after 0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-19 10:44:22 +00:00
Juergen Kunz	6abfd2ff2a	feat(core,edge,hub,transport): add QUIC tunnel transport support with optional edge transport selection	2026-03-19 10:44:22 +00:00
Juergen Kunz	e4807be00b	v4.9.1 Some checks failed Default (tags) / security (push) Failing after 1s Details Default (tags) / test (push) Failing after 1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-18 00:30:03 +00:00
Juergen Kunz	b649322e65	fix(readme): document QoS tiers, heartbeat frames, and adaptive flow control in the protocol overview	2026-03-18 00:30:03 +00:00
Juergen Kunz	d89d1cfbbf	v4.9.0 Some checks failed Default (tags) / security (push) Failing after 1s Details Default (tags) / test (push) Failing after 1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-18 00:13:14 +00:00
Juergen Kunz	6cbe8bee5e	feat(protocol): add sustained-stream tunnel scheduling to isolate high-throughput traffic	2026-03-18 00:13:14 +00:00
Juergen Kunz	a63247af3e	v4.8.19 Some checks failed Default (tags) / security (push) Failing after 1s Details Default (tags) / test (push) Failing after 0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-18 00:02:20 +00:00
Juergen Kunz	28a0c769d9	fix(remoteingress-protocol): reduce per-stream flow control windows and increase control channel buffering	2026-03-18 00:02:20 +00:00
Juergen Kunz	ce7ccd83dc	v4.8.18 Some checks failed Default (tags) / security (push) Failing after 0s Details Default (tags) / test (push) Failing after 0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-17 23:29:02 +00:00
Juergen Kunz	93578d7034	fix(rust-protocol): switch tunnel frame buffers from Vec<u8> to Bytes to reduce copying and memory overhead	2026-03-17 23:29:02 +00:00
Juergen Kunz	4cfc518301	v4.8.17 Some checks failed Default (tags) / security (push) Failing after 1s Details Default (tags) / test (push) Failing after 0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-17 22:46:55 +00:00
Juergen Kunz	124df129ec	fix(protocol): increase per-stream flow control windows and remove adaptive read caps	2026-03-17 22:46:55 +00:00
Juergen Kunz	0b8420aac9	v4.8.16 Some checks failed Default (tags) / security (push) Failing after 1s Details Default (tags) / test (push) Failing after 0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-03-17 19:13:30 +00:00
Juergen Kunz	afd193336a	fix(release): bump package version to 4.8.15	2026-03-17 19:13:30 +00:00