v4.13.0

changelog.md

@@ -1,11 +1,81 @@
 # Changelog
 
-## 2026-03-17 - 4.8.14 - fix(rust-core,protocol)
-eliminate edge stream registration races and reduce frame buffering copies
+## 2026-03-19 - 4.13.0 - feat(docs)
+document TCP and UDP tunneling over TLS and QUIC
 
-- replace Vec<u8> tunnel/frame buffers with bytes::Bytes and BytesMut for lower-copy frame parsing and queueing
-- move edge stream ownership into the main I/O loop with explicit register and cleanup channels to ensure streams are registered before OPEN processing
-- add proactive send window clamping so active streams converge immediately to adaptive flow-control targets
+- update package description to reflect TCP and UDP support and TLS or QUIC transports
+- refresh README architecture, features, and usage examples for UDP forwarding, QUIC transport, and PROXY protocol v1/v2 support
+
+## 2026-03-19 - 4.12.1 - fix(remoteingress-core)
+send PROXY v2 headers for UDP upstream sessions and expire idle UDP sessions
+
+- Adds periodic idle UDP session expiry in edge tunnel and QUIC loops, including UDP close signaling for expired tunnel sessions.
+- Sends the PROXY v2 header as the first datagram for UDP upstream connections in both standard and QUIC hub paths.
+- Updates the UDP node test server to ignore the initial PROXY v2 datagram per source before echoing payload traffic.
+
+## 2026-03-19 - 4.12.0 - feat(remoteingress-core)
+add UDP tunneling over QUIC datagrams and expand transport-specific test coverage
+
+- Implement QUIC datagram-based UDP forwarding on both edge and hub, including session setup, payload routing, and listener cleanup
+- Enable QUIC datagram receive buffers in client and server transport configuration
+- Add UDP-over-QUIC tests and clarify existing test names to distinguish TCP/TLS, UDP/TLS, and QUIC scenarios
+
+## 2026-03-19 - 4.11.0 - feat(remoteingress-core)
+add UDP tunneling support between edge and hub
+
+- extend edge and hub handshake/config updates with UDP listen ports
+- add UDP tunnel frame types and PROXY protocol v2 header helpers in the protocol crate
+- introduce UDP session management on the edge and upstream UDP forwarding on the hub
+- add Node.js integration tests covering UDP echo and concurrent datagrams
+- expose UDP listen port configuration in the TypeScript hub API
+
+## 2026-03-19 - 4.10.0 - feat(core,edge,hub,transport)
+add QUIC tunnel transport support with optional edge transport selection
+
+- adds a shared transport module with QUIC configuration helpers, control message framing, and PROXY header handling
+- enables the hub to accept QUIC connections on the tunnel port alongside existing TCP/TLS support
+- adds edge transportMode configuration with quic and quicWithFallback options and propagates it through restarts
+- includes end-to-end QUIC transport tests covering large payloads and concurrent streams
+
+## 2026-03-18 - 4.9.1 - fix(readme)
+document QoS tiers, heartbeat frames, and adaptive flow control in the protocol overview
+
+- Adds PING, PONG, WINDOW_UPDATE, and WINDOW_UPDATE_BACK frame types to the protocol documentation
+- Describes the 3-tier priority queues for control, normal data, and sustained traffic
+- Explains sustained stream classification and adaptive per-stream window sizing
+
+## 2026-03-18 - 4.9.0 - feat(protocol)
+add sustained-stream tunnel scheduling to isolate high-throughput traffic
+
+- Introduce a third low-priority sustained queue in TunnelIo with a forced drain budget to prevent long-lived high-bandwidth streams from starving control and normal data frames.
+- Classify upload and download streams as sustained after exceeding the throughput threshold for the minimum duration, and route their DATA and CLOSE frames through the sustained channel.
+- Wire the new sustained channel through edge and hub stream handling so sustained traffic is scheduled consistently on both sides of the tunnel.
+
+## 2026-03-18 - 4.8.19 - fix(remoteingress-protocol)
+reduce per-stream flow control windows and increase control channel buffering
+
+- Lower the initial and maximum per-stream window from 16MB to 4MB and scale adaptive windows against a 200MB total budget with a 1MB minimum.
+- Increase edge and hub control frame channel capacity from 256 to 512 to better handle prioritized control traffic.
+- Update flow-control tests and comments to reflect the new window sizing and budget behavior.
+
+## 2026-03-17 - 4.8.18 - fix(rust-protocol)
+switch tunnel frame buffers from Vec<u8> to Bytes to reduce copying and memory overhead
+
+- Add the bytes crate to core and protocol crates
+- Update frame encoding, reader payloads, channel queues, and stream backchannels to use Bytes
+- Adjust edge and hub data/control paths to send framed payloads as Bytes
+
+## 2026-03-17 - 4.8.17 - fix(protocol)
+increase per-stream flow control windows and remove adaptive read caps
+
+- Raise the initial per-stream window from 4MB to 16MB and expand the adaptive window budget to 800MB with a 4MB floor
+- Stop limiting edge and hub reads by the adaptive per-stream target window, keeping reads capped only by the current window and 32KB chunk size
+- Update protocol tests to match the new adaptive window scaling and budget boundaries
+
+## 2026-03-17 - 4.8.16 - fix(release)
+bump package version to 4.8.15
+
+- Updates the package.json version field from 4.8.13 to 4.8.15.
 
 ## 2026-03-17 - 4.8.13 - fix(remoteingress-protocol)
 require a flush after each written frame to bound TLS buffer growth

package.json

@@ -1,8 +1,8 @@
 {
   "name": "@serve.zone/remoteingress",
-  "version": "4.8.14",
+  "version": "4.13.0",
   "private": false,
-  "description": "Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.",
+  "description": "Edge ingress tunnel for DcRouter - tunnels TCP and UDP traffic from the network edge to SmartProxy over TLS or QUIC, preserving client IP via PROXY protocol.",
   "main": "dist_ts/index.js",
   "typings": "dist_ts/index.d.ts",
   "type": "module",

readme.md

@@ -1,6 +1,6 @@
 # @serve.zone/remoteingress
 
-Edge ingress tunnel for DcRouter — accepts incoming TCP connections at the network edge and tunnels them over a single encrypted TLS connection to a DcRouter SmartProxy instance, preserving the original client IP via PROXY protocol v1.
+Edge ingress tunnel for DcRouter — tunnels **TCP and UDP** traffic from the network edge to a private DcRouter/SmartProxy cluster over encrypted TLS or QUIC connections, preserving the original client IP via PROXY protocol.
 
 ## Issue Reporting and Security
 
@@ -17,41 +17,46 @@ pnpm install @serve.zone/remoteingress
 `@serve.zone/remoteingress` uses a **Hub/Edge** topology with a high-performance Rust core and a TypeScript API surface:
 
 ```
-┌─────────────────────┐          TLS Tunnel           ┌─────────────────────┐
+┌─────────────────────┐      TLS or QUIC Tunnel       ┌─────────────────────┐
 │   Network Edge      │  ◄══════════════════════════►  │   Private Cluster   │
-│                     │   (multiplexed frames +        │                     │
-│  RemoteIngressEdge  │    shared-secret auth)         │  RemoteIngressHub   │
-│  Accepts client TCP │                                │  Forwards to        │
-│  connections on     │                                │  SmartProxy on      │
-│  hub-assigned ports │                                │  local ports        │
+│                     │   TCP+TLS: frame mux           │                     │
+│  RemoteIngressEdge  │   QUIC:    native streams      │  RemoteIngressHub   │
+│                     │   UDP:     QUIC datagrams       │                     │
+│  Accepts TCP & UDP  │                                │  Forwards to        │
+│  on hub-assigned    │                                │  SmartProxy on      │
+│  ports              │                                │  local ports        │
 └─────────────────────┘                                └─────────────────────┘
         ▲                                                       │
-        │  TCP from end users                                   ▼
+        │  TCP + UDP from end users                             ▼
    Internet                                             DcRouter / SmartProxy
 ```
 
 | Component | Role |
 |-----------|------|
-| **RemoteIngressEdge** | Deployed at the network edge (e.g. a VPS or cloud instance). Listens on ports assigned by the hub, accepts raw TCP connections, and multiplexes them over a single TLS tunnel to the hub. Ports are hot-reloadable — the hub can change them at runtime. |
-| **RemoteIngressHub** | Deployed alongside DcRouter/SmartProxy in a private cluster. Accepts edge connections, demuxes streams, and forwards each to SmartProxy with a PROXY protocol v1 header so the real client IP is preserved. Controls which ports each edge listens on. |
+| **RemoteIngressEdge** | Deployed at the network edge (VPS, cloud instance). Listens on TCP and UDP ports assigned by the hub, accepts connections/datagrams, and tunnels them to the hub. Ports are hot-reloadable at runtime. |
+| **RemoteIngressHub** | Deployed alongside DcRouter/SmartProxy in a private cluster. Accepts edge connections, demuxes streams/datagrams, and forwards each to SmartProxy with PROXY protocol headers so the real client IP is preserved. |
 | **Rust Binary** (`remoteingress-bin`) | The performance-critical networking core. Managed via `@push.rocks/smartrust` RustBridge IPC — you never interact with it directly. Cross-compiled for `linux/amd64` and `linux/arm64`. |
 
 ### ✨ Key Features
 
-- 🔒 **TLS-encrypted tunnel** between edge and hub (auto-generated self-signed cert or bring your own)
-- 🔀 **Multiplexed streams** — thousands of client connections flow over a single tunnel
-- 🌐 **PROXY protocol v1** — SmartProxy sees the real client IP, not the tunnel IP
+- 🔒 **Dual transport** — choose between TCP+TLS (frame-multiplexed) or QUIC (native stream multiplexing, zero head-of-line blocking)
+- 🌐 **TCP + UDP tunneling** — tunnel any TCP connection or UDP datagram through the same edge/hub pair
+- 📋 **PROXY protocol v1 & v2** — SmartProxy sees the real client IP for both TCP (v1 text) and UDP (v2 binary)
+- 🔀 **Multiplexed streams** — thousands of concurrent TCP connections over a single tunnel
+- ⚡ **QUIC datagrams** — UDP traffic forwarded via QUIC unreliable datagrams for lowest possible latency
 - 🔑 **Shared-secret authentication** — edges must present valid credentials to connect
-- 🎫 **Connection tokens** — encode all connection details into a single opaque string
-- 📡 **STUN-based public IP discovery** — the edge automatically discovers its public IP via Cloudflare STUN
+- 🎫 **Connection tokens** — encode all connection details into a single opaque base64url string
+- 📡 **STUN-based public IP discovery** — edges automatically discover their public IP via Cloudflare STUN
 - 🔄 **Auto-reconnect** with exponential backoff if the tunnel drops
-- 🎛️ **Dynamic port configuration** — the hub assigns listen ports per edge and can hot-reload them at runtime via `FRAME_CONFIG` frames
+- 🎛️ **Dynamic port configuration** — the hub assigns TCP and UDP listen ports per edge, hot-reloadable at runtime
 - 📣 **Event-driven** — both Hub and Edge extend `EventEmitter` for real-time monitoring
-- ⚡ **Rust core** — all frame encoding, TLS, and TCP proxying happen in native code for maximum throughput
+- 🎚️ **3-tier QoS** — control frames, normal data, and sustained (elephant flow) traffic each get their own priority queue
+- 📊 **Adaptive flow control** — per-stream windows scale with active stream count to prevent memory overuse
+- 🕒 **UDP session management** — automatic session tracking with 60s idle timeout and cleanup
 
 ## 🚀 Usage
 
-Both classes are imported from the package and communicate with the Rust binary under the hood. All you need to do is configure and start them.
+Both classes are imported from the package and communicate with the Rust binary under the hood.
 
 ### Setting Up the Hub (Private Cluster Side)
 
@@ -61,32 +66,25 @@ import { RemoteIngressHub } from '@serve.zone/remoteingress';
 const hub = new RemoteIngressHub();
 
 // Listen for events
-hub.on('edgeConnected', ({ edgeId }) => {
-  console.log(`Edge ${edgeId} connected`);
-});
-hub.on('edgeDisconnected', ({ edgeId }) => {
-  console.log(`Edge ${edgeId} disconnected`);
-});
-hub.on('streamOpened', ({ edgeId, streamId }) => {
-  console.log(`Stream ${streamId} opened from edge ${edgeId}`);
-});
-hub.on('streamClosed', ({ edgeId, streamId }) => {
-  console.log(`Stream ${streamId} closed from edge ${edgeId}`);
-});
+hub.on('edgeConnected', ({ edgeId }) => console.log(`Edge ${edgeId} connected`));
+hub.on('edgeDisconnected', ({ edgeId }) => console.log(`Edge ${edgeId} disconnected`));
+hub.on('streamOpened', ({ edgeId, streamId }) => console.log(`Stream ${streamId} from ${edgeId}`));
+hub.on('streamClosed', ({ edgeId, streamId }) => console.log(`Stream ${streamId} closed`));
 
-// Start the hub — it will listen for incoming edge TLS connections
+// Start the hub — listens for edge connections on both TCP and QUIC (same port)
 await hub.start({
   tunnelPort: 8443,        // port edges connect to (default: 8443)
-  targetHost: '127.0.0.1', // SmartProxy host to forward streams to (default: 127.0.0.1)
+  targetHost: '127.0.0.1', // SmartProxy host to forward traffic to
 });
 
-// Register which edges are allowed to connect, including their listen ports
+// Register allowed edges with TCP and UDP listen ports
 await hub.updateAllowedEdges([
   {
     id: 'edge-nyc-01',
     secret: 'supersecrettoken1',
-    listenPorts: [80, 443],        // ports the edge should listen on
-    stunIntervalSecs: 300,         // STUN discovery interval (default: 300)
+    listenPorts: [80, 443],        // TCP ports the edge should listen on
+    listenPortsUdp: [53, 51820],   // UDP ports (e.g., DNS, WireGuard)
+    stunIntervalSecs: 300,
   },
   {
     id: 'edge-fra-02',
@@ -95,38 +93,29 @@ await hub.updateAllowedEdges([
   },
 ]);
 
-// Dynamically update ports for a connected edge — changes are pushed instantly
+// Dynamically update ports — changes are pushed instantly to connected edges
 await hub.updateAllowedEdges([
   {
     id: 'edge-nyc-01',
     secret: 'supersecrettoken1',
-    listenPorts: [80, 443, 8443],  // added port 8443 — edge picks it up in real time
+    listenPorts: [80, 443, 8443],    // added TCP port 8443
+    listenPortsUdp: [53],            // removed WireGuard UDP port
   },
 ]);
 
-// Check status at any time
+// Check status
 const status = await hub.getStatus();
-console.log(status);
-// {
-//   running: true,
-//   tunnelPort: 8443,
-//   connectedEdges: [
-//     { edgeId: 'edge-nyc-01', connectedAt: 1700000000, activeStreams: 12 }
-//   ]
-// }
+// { running: true, tunnelPort: 8443, connectedEdges: [...] }
 
-// Graceful shutdown
 await hub.stop();
 ```
 
 ### Setting Up the Edge (Network Edge Side)
 
-The edge can be configured in two ways: with an **opaque connection token** (recommended) or with explicit config fields.
+The edge can connect via **TCP+TLS** (default) or **QUIC** transport.
 
 #### Option A: Connection Token (Recommended)
 
-A single token encodes all connection details — ideal for provisioning edges at scale:
-
 ```typescript
 import { RemoteIngressEdge } from '@serve.zone/remoteingress';
 
@@ -135,79 +124,64 @@ const edge = new RemoteIngressEdge();
 edge.on('tunnelConnected', () => console.log('Tunnel established'));
 edge.on('tunnelDisconnected', () => console.log('Tunnel lost — will auto-reconnect'));
 edge.on('publicIpDiscovered', ({ ip }) => console.log(`Public IP: ${ip}`));
-edge.on('portsAssigned', ({ listenPorts }) => console.log(`Listening on ports: ${listenPorts}`));
-edge.on('portsUpdated', ({ listenPorts }) => console.log(`Ports updated: ${listenPorts}`));
+edge.on('portsAssigned', ({ listenPorts }) => console.log(`TCP ports: ${listenPorts}`));
 
-// Single token contains hubHost, hubPort, edgeId, and secret
 await edge.start({
-  token: 'eyJoIjoiaHViLmV4YW1wbGUuY29tIiwicCI6ODQ0MywiZSI6ImVkZ2UtbnljLTAxIiwicyI6InN1cGVyc2VjcmV0dG9rZW4xIn0',
+  token: 'eyJoIjoiaHViLmV4YW1wbGUuY29tIiwi...',
 });
 ```
 
-#### Option B: Explicit Config
+#### Option B: Explicit Config with QUIC Transport
 
 ```typescript
 import { RemoteIngressEdge } from '@serve.zone/remoteingress';
 
 const edge = new RemoteIngressEdge();
 
-edge.on('tunnelConnected', () => console.log('Tunnel established'));
-edge.on('tunnelDisconnected', () => console.log('Tunnel lost — will auto-reconnect'));
-edge.on('publicIpDiscovered', ({ ip }) => console.log(`Public IP: ${ip}`));
-edge.on('portsAssigned', ({ listenPorts }) => console.log(`Listening on ports: ${listenPorts}`));
-edge.on('portsUpdated', ({ listenPorts }) => console.log(`Ports updated: ${listenPorts}`));
-
 await edge.start({
-  hubHost: 'hub.example.com',  // hostname or IP of the hub
-  hubPort: 8443,               // must match hub's tunnelPort (default: 8443)
-  edgeId: 'edge-nyc-01',       // unique edge identifier
-  secret: 'supersecrettoken1', // must match the hub's allowed edge secret
+  hubHost: 'hub.example.com',
+  hubPort: 8443,
+  edgeId: 'edge-nyc-01',
+  secret: 'supersecrettoken1',
+  transportMode: 'quic',  // 'tcpTls' (default) | 'quic' | 'quicWithFallback'
 });
 
-// Check status at any time
 const edgeStatus = await edge.getStatus();
-console.log(edgeStatus);
-// {
-//   running: true,
-//   connected: true,
-//   publicIp: '203.0.113.42',
-//   activeStreams: 5,
-//   listenPorts: [80, 443]
-// }
+// { running: true, connected: true, publicIp: '203.0.113.42', activeStreams: 5, listenPorts: [80, 443] }
 
-// Graceful shutdown
 await edge.stop();
 ```
 
+#### Transport Modes
+
+| Mode | Description |
+|------|-------------|
+| `'tcpTls'` | **Default.** Single TLS connection with frame-based multiplexing. Universal compatibility. |
+| `'quic'` | QUIC with native stream multiplexing. Eliminates head-of-line blocking. Uses QUIC datagrams for UDP traffic. |
+| `'quicWithFallback'` | Tries QUIC first (5s timeout), falls back to TCP+TLS if UDP is blocked by the network. |
+
 ### 🎫 Connection Tokens
 
-Connection tokens let you distribute a single opaque string instead of four separate config values. The hub operator generates the token; the edge operator just pastes it in.
+Encode all connection details into a single opaque string for easy distribution:
 
 ```typescript
 import { encodeConnectionToken, decodeConnectionToken } from '@serve.zone/remoteingress';
 
-// Hub side: generate a token for a new edge
+// Hub operator generates a token
 const token = encodeConnectionToken({
   hubHost: 'hub.example.com',
   hubPort: 8443,
   edgeId: 'edge-nyc-01',
   secret: 'supersecrettoken1',
 });
-console.log(token);
 // => 'eyJoIjoiaHViLmV4YW1wbGUuY29tIiwi...'
 
-// Edge side: inspect a token (optional — start() does this automatically)
+// Edge operator decodes (optional — start() does this automatically)
 const data = decodeConnectionToken(token);
-console.log(data);
-// {
-//   hubHost: 'hub.example.com',
-//   hubPort: 8443,
-//   edgeId: 'edge-nyc-01',
-//   secret: 'supersecrettoken1'
-// }
+// { hubHost: 'hub.example.com', hubPort: 8443, edgeId: 'edge-nyc-01', secret: '...' }
 ```
 
-Tokens are base64url-encoded (URL-safe, no padding) — safe to pass as environment variables, CLI arguments, or store in config files.
+Tokens are base64url-encoded — safe for environment variables, CLI arguments, and config files.
 
 ## 📖 API Reference
 
@@ -215,10 +189,10 @@ Tokens are base64url-encoded (URL-safe, no padding) — safe to pass as environm
 
 | Method / Property | Description |
 |-------------------|-------------|
-| `start(config?)` | Spawns the Rust binary and starts the tunnel listener. Config: `{ tunnelPort?: number, targetHost?: string }` |
-| `stop()` | Gracefully shuts down the hub and kills the Rust process. |
-| `updateAllowedEdges(edges)` | Dynamically update which edges are authorized and what ports they listen on. Each edge: `{ id: string, secret: string, listenPorts?: number[], stunIntervalSecs?: number }`. If ports change for a connected edge, the update is pushed immediately via a `FRAME_CONFIG` frame. |
-| `getStatus()` | Returns current hub status including connected edges and active stream counts. |
+| `start(config?)` | Start the hub. Config: `{ tunnelPort?: number, targetHost?: string }`. Listens on both TCP and UDP (QUIC) on the tunnel port. |
+| `stop()` | Graceful shutdown. |
+| `updateAllowedEdges(edges)` | Set authorized edges. Each: `{ id, secret, listenPorts?, listenPortsUdp?, stunIntervalSecs? }`. Port changes are pushed to connected edges in real time. |
+| `getStatus()` | Returns `{ running, tunnelPort, connectedEdges: [...] }`. |
 | `running` | `boolean` — whether the Rust binary is alive. |
 
 **Events:** `edgeConnected`, `edgeDisconnected`, `streamOpened`, `streamClosed`
@@ -227,9 +201,9 @@ Tokens are base64url-encoded (URL-safe, no padding) — safe to pass as environm
 
 | Method / Property | Description |
 |-------------------|-------------|
-| `start(config)` | Spawns the Rust binary and connects to the hub. Accepts `{ token: string }` or `IEdgeConfig`. Listen ports are received from the hub during handshake. |
-| `stop()` | Gracefully shuts down the edge and kills the Rust process. |
-| `getStatus()` | Returns current edge status including connection state, public IP, listen ports, and active streams. |
+| `start(config)` | Connect to hub. Accepts `{ token }` or `{ hubHost, hubPort, edgeId, secret, transportMode? }`. |
+| `stop()` | Graceful shutdown. |
+| `getStatus()` | Returns `{ running, connected, publicIp, activeStreams, listenPorts }`. |
 | `running` | `boolean` — whether the Rust binary is alive. |
 
 **Events:** `tunnelConnected`, `tunnelDisconnected`, `publicIpDiscovered`, `portsAssigned`, `portsUpdated`
@@ -238,8 +212,8 @@ Tokens are base64url-encoded (URL-safe, no padding) — safe to pass as environm
 
 | Function | Description |
 |----------|-------------|
-| `encodeConnectionToken(data)` | Encodes `IConnectionTokenData` into a base64url token string. |
-| `decodeConnectionToken(token)` | Decodes a token back into `IConnectionTokenData`. Throws on malformed or incomplete tokens. |
+| `encodeConnectionToken(data)` | Encodes connection info into a base64url token. |
+| `decodeConnectionToken(token)` | Decodes a token. Throws on malformed input. |
 
 ### Interfaces
 
@@ -254,6 +228,8 @@ interface IEdgeConfig {
   hubPort?: number;      // default: 8443
   edgeId: string;
   secret: string;
+  bindAddress?: string;
+  transportMode?: 'tcpTls' | 'quic' | 'quicWithFallback';
 }
 
 interface IConnectionTokenData {
@@ -266,7 +242,9 @@ interface IConnectionTokenData {
 
 ## 🔌 Wire Protocol
 
-The tunnel uses a custom binary frame protocol over TLS:
+### TCP+TLS Transport (Frame Protocol)
+
+The tunnel uses a custom binary frame protocol over a single TLS connection:
 
 ```
 [stream_id: 4 bytes BE][type: 1 byte][length: 4 bytes BE][payload: N bytes]
@@ -274,73 +252,124 @@ The tunnel uses a custom binary frame protocol over TLS:
 
 | Frame Type | Value | Direction | Purpose |
 |------------|-------|-----------|---------|
-| `OPEN` | `0x01` | Edge → Hub | Open a new stream; payload is PROXY v1 header |
-| `DATA` | `0x02` | Edge → Hub | Client data flowing upstream |
-| `CLOSE` | `0x03` | Edge → Hub | Client closed the connection |
-| `DATA_BACK` | `0x04` | Hub → Edge | Response data flowing downstream |
-| `CLOSE_BACK` | `0x05` | Hub → Edge | Upstream (SmartProxy) closed the connection |
-| `CONFIG` | `0x06` | Hub → Edge | Runtime configuration update (e.g. port changes); payload is JSON |
+| `OPEN` | `0x01` | Edge → Hub | Open TCP stream; payload is PROXY v1 header |
+| `DATA` | `0x02` | Edge → Hub | Client data (upload) |
+| `CLOSE` | `0x03` | Edge → Hub | Client closed connection |
+| `DATA_BACK` | `0x04` | Hub → Edge | Response data (download) |
+| `CLOSE_BACK` | `0x05` | Hub → Edge | Upstream closed connection |
+| `CONFIG` | `0x06` | Hub → Edge | Runtime config update (JSON payload) |
+| `PING` | `0x07` | Hub → Edge | Heartbeat probe (every 15s) |
+| `PONG` | `0x08` | Edge → Hub | Heartbeat response |
+| `WINDOW_UPDATE` | `0x09` | Edge → Hub | Flow control: edge consumed N bytes |
+| `WINDOW_UPDATE_BACK` | `0x0A` | Hub → Edge | Flow control: hub consumed N bytes |
+| `UDP_OPEN` | `0x0B` | Edge → Hub | Open UDP session; payload is PROXY v2 header |
+| `UDP_DATA` | `0x0C` | Edge → Hub | UDP datagram (upload) |
+| `UDP_DATA_BACK` | `0x0D` | Hub → Edge | UDP datagram (download) |
+| `UDP_CLOSE` | `0x0E` | Either | Close UDP session |
 
-Max payload size per frame: **16 MB**. Stream IDs are 32-bit unsigned integers.
+### QUIC Transport
+
+When using QUIC, the frame protocol is replaced by native QUIC primitives:
+
+- **TCP connections:** Each tunneled TCP connection gets its own QUIC bidirectional stream. No framing overhead.
+- **UDP datagrams:** Forwarded via QUIC unreliable datagrams (RFC 9221). Format: `[session_id: 4 bytes][payload]`. Session open uses magic byte `0xFF`: `[session_id: 4][0xFF][PROXY v2 header]`.
+- **Control channel:** First QUIC bidirectional stream carries auth handshake + config updates using `[type: 1][length: 4][payload]` format.
 
 ### Handshake Sequence
 
-1. Edge opens a TLS connection to the hub
+1. Edge opens a TLS or QUIC connection to the hub
 2. Edge sends: `EDGE <edgeId> <secret>\n`
-3. Hub verifies credentials (constant-time comparison) and responds with JSON: `{"listenPorts":[...],"stunIntervalSecs":300}\n`
-4. Edge starts TCP listeners on the assigned ports
-5. Frame protocol begins — `OPEN`/`DATA`/`CLOSE` frames flow in both directions
-6. Hub can push `CONFIG` frames at any time to update the edge's listen ports
+3. Hub verifies credentials (constant-time comparison) and responds with JSON:
+   `{"listenPorts":[...],"listenPortsUdp":[...],"stunIntervalSecs":300}\n`
+4. Edge starts TCP and UDP listeners on the assigned ports
+5. Data flows — TCP frames/QUIC streams for TCP traffic, UDP frames/QUIC datagrams for UDP traffic
+
+## 🎚️ QoS & Flow Control
+
+### Priority Tiers (TCP+TLS Transport)
+
+| Tier | Frames | Behavior |
+|------|--------|----------|
+| 🔴 **Control** | PING, PONG, WINDOW_UPDATE, OPEN, CLOSE, CONFIG | Always drained first. Never delayed. |
+| 🟡 **Data** | DATA/DATA_BACK from normal streams, UDP frames | Drained when control queue is empty. |
+| 🟢 **Sustained** | DATA/DATA_BACK from elephant flows | Lowest priority with guaranteed **1 MB/s** drain rate. |
+
+### Sustained Stream Classification
+
+A TCP stream is classified as **sustained** (elephant flow) when:
+- Active for **>10 seconds**, AND
+- Average throughput exceeds **20 Mbit/s** (2.5 MB/s)
+
+Once classified, its flow control window locks to 1 MB and data frames move to the lowest-priority queue.
+
+### Adaptive Per-Stream Windows
+
+Each TCP stream has a send window from a shared **200 MB budget**:
+
+| Active Streams | Window per Stream |
+|---|---|
+| 1–50 | 4 MB (maximum) |
+| 51–200 | Scales down (4 MB → 1 MB) |
+| 200+ | 1 MB (floor) |
+
+UDP traffic uses no flow control — datagrams are fire-and-forget, matching UDP semantics.
 
 ## 💡 Example Scenarios
 
-### 1. Expose a Private Kubernetes Cluster to the Internet
+### 1. Expose a Private Cluster to the Internet
 
-Deploy an Edge on a public VPS, point your DNS to the VPS IP. The Edge tunnels all traffic to the Hub running inside the cluster, which hands it off to SmartProxy/DcRouter. Your cluster stays fully private — no public-facing ports needed.
+Deploy an Edge on a public VPS, point DNS to its IP. The Edge tunnels all TCP and UDP traffic to the Hub running inside your private cluster. No public ports needed on the cluster.
 
 ### 2. Multi-Region Edge Ingress
 
-Run multiple Edges in different geographic regions (NYC, Frankfurt, Tokyo) all connecting to a single Hub. Use GeoDNS to route users to their nearest Edge. The Hub sees the real client IPs via PROXY protocol regardless of which edge they connected through.
+Run Edges in NYC, Frankfurt, and Tokyo — all connecting to a single Hub. Use GeoDNS to route users to their nearest Edge. PROXY protocol ensures the Hub sees real client IPs regardless of which Edge they entered through.
 
-### 3. Secure API Exposure
+### 3. UDP Forwarding (DNS, Gaming, VoIP)
 
-Your backend runs on a private network with no direct internet access. An Edge on a minimal cloud instance acts as the only public entry point. TLS tunnel + shared-secret auth ensure only your authorized Edge can forward traffic.
-
-### 4. Token-Based Edge Provisioning
-
-Generate connection tokens on the hub side and distribute them to edge operators. Each edge only needs a single token string to connect — no manual configuration of host, port, ID, and secret.
+Configure UDP listen ports alongside TCP ports. DNS queries, game server traffic, or VoIP packets are tunneled through the same edge/hub connection and forwarded to SmartProxy with a PROXY v2 binary header preserving the client's real IP.
+
+```typescript
+await hub.updateAllowedEdges([
+  {
+    id: 'edge-nyc-01',
+    secret: 'secret',
+    listenPorts: [80, 443],       // TCP
+    listenPortsUdp: [53, 27015],  // DNS + game server
+  },
+]);
+```
+
+### 4. QUIC Transport for Low-Latency
+
+Use QUIC transport to eliminate head-of-line blocking — a lost packet on one stream doesn't stall others. QUIC also enables 0-RTT reconnection and connection migration.
+
+```typescript
+await edge.start({
+  hubHost: 'hub.example.com',
+  hubPort: 8443,
+  edgeId: 'edge-01',
+  secret: 'secret',
+  transportMode: 'quicWithFallback', // try QUIC, fall back to TLS if UDP blocked
+});
+```
+
+### 5. Token-Based Edge Provisioning
+
+Generate connection tokens on the hub side and distribute them to edge operators:
 
 ```typescript
-// Hub operator generates token
 const token = encodeConnectionToken({
   hubHost: 'hub.prod.example.com',
   hubPort: 8443,
   edgeId: 'edge-tokyo-01',
   secret: 'generated-secret-abc123',
 });
-// Send `token` to the edge operator via secure channel
+// Send `token` to the edge operator — a single string is all they need
 
-// Edge operator starts with just the token
 const edge = new RemoteIngressEdge();
 await edge.start({ token });
 ```
 
-### 5. Dynamic Port Management
-
-The hub controls which ports each edge listens on. Ports can be changed at runtime without restarting the edge — the hub pushes a `CONFIG` frame and the edge hot-reloads its TCP listeners.
-
-```typescript
-// Initially assign ports 80 and 443
-await hub.updateAllowedEdges([
-  { id: 'edge-nyc-01', secret: 'secret', listenPorts: [80, 443] },
-]);
-
-// Later, add port 8080 — the connected edge picks it up instantly
-await hub.updateAllowedEdges([
-  { id: 'edge-nyc-01', secret: 'secret', listenPorts: [80, 443, 8080] },
-]);
-```
-
 ## License and Legal Information
 
 This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.

rust/Cargo.lock

@@ -95,6 +95,12 @@ version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
 
+[[package]]
+name = "bumpalo"
+version = "3.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
+
 [[package]]
 name = "bytes"
 version = "1.11.1"
@@ -113,12 +119,24 @@ dependencies = [
  "shlex",
 ]
 
+[[package]]
+name = "cesu8"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
+
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
 
+[[package]]
+name = "cfg_aliases"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
+
 [[package]]
 name = "clap"
 version = "4.5.58"
@@ -174,6 +192,32 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 
+[[package]]
+name = "combine"
+version = "4.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
+dependencies = [
+ "bytes",
+ "memchr",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
 [[package]]
 name = "deranged"
 version = "0.5.6"
@@ -222,6 +266,18 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "fastbloom"
+version = "0.14.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e7f34442dbe69c60fe8eaf58a8cafff81a1f278816d8ab4db255b3bef4ac3c4"
+dependencies = [
+ "getrandom 0.3.4",
+ "libm",
+ "rand",
+ "siphasher",
+]
+
 [[package]]
 name = "find-msvc-tools"
 version = "0.1.9"
@@ -253,8 +309,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "wasi",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -264,9 +322,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "r-efi",
  "wasip2",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -311,6 +371,28 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "jni"
+version = "0.21.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97"
+dependencies = [
+ "cesu8",
+ "cfg-if",
+ "combine",
+ "jni-sys",
+ "log",
+ "thiserror 1.0.69",
+ "walkdir",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
+
 [[package]]
 name = "jobserver"
 version = "0.1.34"
@@ -321,12 +403,28 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "js-sys"
+version = "0.3.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "libc"
 version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
 
+[[package]]
+name = "libm"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"
+
 [[package]]
 name = "libmimalloc-sys"
 version = "0.1.44"
@@ -352,6 +450,12 @@ version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
 [[package]]
 name = "memchr"
 version = "2.8.0"
@@ -396,6 +500,12 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
+[[package]]
+name = "openssl-probe"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
+
 [[package]]
 name = "parking_lot"
 version = "0.12.5"
@@ -456,6 +566,15 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
 
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.106"
@@ -465,6 +584,63 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2 0.6.2",
+ "thiserror 2.0.18",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
+dependencies = [
+ "bytes",
+ "fastbloom",
+ "getrandom 0.3.4",
+ "lru-slab",
+ "rand",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "rustls-platform-verifier",
+ "slab",
+ "thiserror 2.0.18",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2 0.6.2",
+ "tracing",
+ "windows-sys 0.60.2",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.44"
@@ -480,6 +656,35 @@ version = "5.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
 [[package]]
 name = "rcgen"
 version = "0.13.2"
@@ -553,6 +758,7 @@ version = "2.0.0"
 dependencies = [
  "bytes",
  "log",
+ "quinn",
  "rcgen",
  "remoteingress-protocol",
  "rustls",
@@ -589,6 +795,12 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
 [[package]]
 name = "rustls"
 version = "0.23.36"
@@ -605,6 +817,18 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
+dependencies = [
+ "openssl-probe",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
 [[package]]
 name = "rustls-pemfile"
 version = "2.2.0"
@@ -620,9 +844,37 @@ version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
 dependencies = [
+ "web-time",
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-platform-verifier"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
+dependencies = [
+ "core-foundation",
+ "core-foundation-sys",
+ "jni",
+ "log",
+ "once_cell",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-platform-verifier-android",
+ "rustls-webpki",
+ "security-framework",
+ "security-framework-sys",
+ "webpki-root-certs",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "rustls-platform-verifier-android"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
+
 [[package]]
 name = "rustls-webpki"
 version = "0.103.9"
@@ -635,12 +887,59 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "schannel"
+version = "0.1.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "security-framework"
+version = "3.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -700,6 +999,18 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "siphasher"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e"
+
+[[package]]
+name = "slab"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
+
 [[package]]
 name = "smallvec"
 version = "1.15.1"
@@ -749,6 +1060,46 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl 2.0.18",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "time"
 version = "0.3.47"
@@ -768,6 +1119,21 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
 
+[[package]]
+name = "tinyvec"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
 [[package]]
 name = "tokio"
 version = "1.49.0"
@@ -819,6 +1185,26 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "tracing"
+version = "0.1.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
+dependencies = [
+ "log",
+ "pin-project-lite",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
+dependencies = [
+ "once_cell",
+]
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.24"
@@ -837,6 +1223,16 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "wasi"
 version = "0.11.1+wasi-snapshot-preview1"
@@ -852,12 +1248,94 @@ dependencies = [
  "wit-bindgen",
 ]
 
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
+dependencies = [
+ "bumpalo",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-root-certs"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "804f18a4ac2676ffb4e8b5b5fa9ae38af06df08162314f96a68d2a363e21a8ca"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
+[[package]]
+name = "windows-sys"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
+dependencies = [
+ "windows-targets 0.42.2",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -885,6 +1363,21 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -918,6 +1411,12 @@ dependencies = [
  "windows_x86_64_msvc 0.53.1",
 ]
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -930,6 +1429,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -942,6 +1447,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -966,6 +1477,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -978,6 +1495,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -990,6 +1513,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -1002,6 +1531,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -1029,6 +1564,26 @@ dependencies = [
  "time",
 ]
 
+[[package]]
+name = "zerocopy"
+version = "0.8.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "zeroize"
 version = "1.8.2"

rust/crates/remoteingress-core/Cargo.toml

@@ -16,3 +16,4 @@ log = "0.4"
 rustls-pemfile = "2"
 tokio-util = "0.7"
 socket2 = "0.5"
+quinn = "0.11"

rust/crates/remoteingress-core/src/hub.rs

@@ -3,7 +3,7 @@ use std::sync::Arc;
 use std::sync::atomic::{AtomicU32, Ordering};
 use std::time::Duration;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::net::{TcpListener, TcpStream};
+use tokio::net::{TcpListener, TcpStream, UdpSocket};
 use tokio::sync::{mpsc, Mutex, Notify, RwLock, Semaphore};
 use tokio::time::{interval, sleep_until, Instant};
 use tokio_rustls::TlsAcceptor;
@@ -12,6 +12,7 @@ use serde::{Deserialize, Serialize};
 
 use bytes::Bytes;
 use remoteingress_protocol::*;
+use crate::transport::quic as quic_transport;
 
 type HubTlsStream = tokio_rustls::server::TlsStream<TcpStream>;
 
@@ -22,6 +23,14 @@ enum FrameAction {
     Disconnect(String),
 }
 
+/// Per-UDP-session state tracked in the hub.
+struct HubUdpSessionState {
+    /// Channel for forwarding datagrams from edge to the upstream UdpSocket task.
+    data_tx: mpsc::Sender<Bytes>,
+    /// Cancellation token for this session's upstream task.
+    cancel_token: CancellationToken,
+}
+
 /// Per-stream state tracked in the hub's stream map.
 struct HubStreamState {
     /// Unbounded channel to deliver FRAME_DATA payloads to the upstream writer task.
@@ -68,6 +77,8 @@ pub struct AllowedEdge {
     pub secret: String,
     #[serde(default)]
     pub listen_ports: Vec<u16>,
+    #[serde(default)]
+    pub listen_ports_udp: Vec<u16>,
     pub stun_interval_secs: Option<u64>,
 }
 
@@ -76,6 +87,8 @@ pub struct AllowedEdge {
 #[serde(rename_all = "camelCase")]
 struct HandshakeResponse {
     listen_ports: Vec<u16>,
+    #[serde(default)]
+    listen_ports_udp: Vec<u16>,
     stun_interval_secs: u64,
 }
 
@@ -84,6 +97,8 @@ struct HandshakeResponse {
 #[serde(rename_all = "camelCase")]
 pub struct EdgeConfigUpdate {
     pub listen_ports: Vec<u16>,
+    #[serde(default)]
+    pub listen_ports_udp: Vec<u16>,
 }
 
 /// Runtime status of a connected edge.
@@ -178,12 +193,13 @@ impl TunnelHub {
             if let Some(info) = connected.get(&edge.id) {
                 // Check if ports changed compared to old config
                 let ports_changed = match map.get(&edge.id) {
-                    Some(old) => old.listen_ports != edge.listen_ports,
+                    Some(old) => old.listen_ports != edge.listen_ports || old.listen_ports_udp != edge.listen_ports_udp,
                     None => true, // newly allowed edge that's already connected
                 };
                 if ports_changed {
                     let update = EdgeConfigUpdate {
                         listen_ports: edge.listen_ports.clone(),
+                        listen_ports_udp: edge.listen_ports_udp.clone(),
                     };
                     let _ = info.config_tx.try_send(update);
                 }
@@ -216,14 +232,35 @@ impl TunnelHub {
         }
     }
 
-    /// Start the hub — listen for TLS connections from edges.
+    /// Start the hub — listen for TLS connections (TCP) and QUIC connections (UDP) from edges.
     pub async fn start(&self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
         let config = self.config.read().await.clone();
         let tls_config = build_tls_config(&config)?;
-        let acceptor = TlsAcceptor::from(Arc::new(tls_config));
+        let acceptor = TlsAcceptor::from(Arc::new(tls_config.clone()));
 
         let listener = TcpListener::bind(("0.0.0.0", config.tunnel_port)).await?;
-        log::info!("Hub listening on port {}", config.tunnel_port);
+        log::info!("Hub listening on TCP port {}", config.tunnel_port);
+
+        // Start QUIC endpoint on the same port (UDP)
+        let quic_endpoint = match quic_transport::build_quic_server_config(tls_config) {
+            Ok(quic_server_config) => {
+                let bind_addr: std::net::SocketAddr = ([0, 0, 0, 0], config.tunnel_port).into();
+                match quinn::Endpoint::server(quic_server_config, bind_addr) {
+                    Ok(ep) => {
+                        log::info!("Hub listening on QUIC/UDP port {}", config.tunnel_port);
+                        Some(ep)
+                    }
+                    Err(e) => {
+                        log::warn!("Failed to start QUIC endpoint: {} (QUIC disabled)", e);
+                        None
+                    }
+                }
+            }
+            Err(e) => {
+                log::warn!("Failed to build QUIC server config: {} (QUIC disabled)", e);
+                None
+            }
+        };
 
         let (shutdown_tx, mut shutdown_rx) = mpsc::channel::<()>(1);
         *self.shutdown_tx.lock().await = Some(shutdown_tx);
@@ -236,12 +273,62 @@ impl TunnelHub {
         let hub_token = self.cancel_token.clone();
 
         tokio::spawn(async move {
+            // Spawn QUIC acceptor as a separate task
+            let quic_handle = if let Some(quic_ep) = quic_endpoint {
+                let allowed_q = allowed.clone();
+                let connected_q = connected.clone();
+                let event_tx_q = event_tx.clone();
+                let target_q = target_host.clone();
+                let hub_token_q = hub_token.clone();
+                Some(tokio::spawn(async move {
+                    loop {
+                        tokio::select! {
+                            incoming = quic_ep.accept() => {
+                                match incoming {
+                                    Some(incoming) => {
+                                        let allowed = allowed_q.clone();
+                                        let connected = connected_q.clone();
+                                        let event_tx = event_tx_q.clone();
+                                        let target = target_q.clone();
+                                        let edge_token = hub_token_q.child_token();
+                                        let peer_addr = incoming.remote_address().ip().to_string();
+                                        tokio::spawn(async move {
+                                            // Accept the QUIC connection
+                                            let quic_conn = match incoming.await {
+                                                Ok(c) => c,
+                                                Err(e) => {
+                                                    log::error!("QUIC connection error: {}", e);
+                                                    return;
+                                                }
+                                            };
+                                            if let Err(e) = handle_edge_connection_quic(
+                                                quic_conn, allowed, connected, event_tx, target, edge_token, peer_addr,
+                                            ).await {
+                                                log::error!("QUIC edge connection error: {}", e);
+                                            }
+                                        });
+                                    }
+                                    None => {
+                                        log::info!("QUIC endpoint closed");
+                                        break;
+                                    }
+                                }
+                            }
+                            _ = hub_token_q.cancelled() => break,
+                        }
+                    }
+                }))
+            } else {
+                None
+            };
+
+            // TCP+TLS acceptor loop
             loop {
                 tokio::select! {
                     result = listener.accept() => {
                         match result {
                             Ok((stream, addr)) => {
-                                log::info!("Edge connection from {}", addr);
+                                log::info!("Edge connection from {} (TCP+TLS)", addr);
                                 let acceptor = acceptor.clone();
                                 let allowed = allowed.clone();
                                 let connected = connected.clone();
@@ -272,6 +359,11 @@ impl TunnelHub {
                     }
                 }
             }
+
+            // Abort QUIC acceptor if running
+            if let Some(h) = quic_handle {
+                h.abort();
+            }
         });
 
         Ok(())
@@ -304,12 +396,14 @@ async fn handle_hub_frame(
     frame: Frame,
     tunnel_io: &mut remoteingress_protocol::TunnelIo<HubTlsStream>,
     streams: &mut HashMap<u32, HubStreamState>,
+    udp_sessions: &mut HashMap<u32, HubUdpSessionState>,
     stream_semaphore: &Arc<Semaphore>,
     edge_stream_count: &Arc<AtomicU32>,
     edge_id: &str,
     event_tx: &mpsc::Sender<HubEvent>,
     ctrl_tx: &mpsc::Sender<Bytes>,
     data_tx: &mpsc::Sender<Bytes>,
+    sustained_tx: &mpsc::Sender<Bytes>,
     target_host: &str,
     edge_token: &CancellationToken,
     cleanup_tx: &mpsc::Sender<u32>,
@@ -338,6 +432,7 @@ async fn handle_hub_frame(
             let cleanup = cleanup_tx.clone();
             let writer_tx = ctrl_tx.clone();   // control: CLOSE_BACK, WINDOW_UPDATE_BACK
             let data_writer_tx = data_tx.clone(); // data: DATA_BACK
+            let sustained_writer_tx = sustained_tx.clone(); // sustained: DATA_BACK from elephant flows
             let target = target_host.to_string();
             let stream_token = edge_token.child_token();
 
@@ -349,7 +444,7 @@ async fn handle_hub_frame(
             // Create channel for data from edge to this stream
             let (stream_data_tx, mut stream_data_rx) = mpsc::unbounded_channel::<Bytes>();
             // Adaptive initial window: scale with current stream count
-            // to keep total in-flight data within the 32MB budget.
+            // to keep total in-flight data within the 200MB budget.
             let initial_window = compute_window_for_stream_count(
                 edge_stream_count.load(Ordering::Relaxed),
             );
@@ -458,6 +553,9 @@ async fn handle_hub_frame(
                     // with per-stream flow control (check send_window before reading).
                     // Zero-copy: read payload directly after the header, then prepend header.
                     let mut buf = vec![0u8; FRAME_HEADER_SIZE + 32768];
+                    let mut dl_bytes_sent: u64 = 0;
+                    let dl_start = tokio::time::Instant::now();
+                    let mut is_sustained = false;
                     loop {
                         // Wait for send window to have capacity (with stall timeout).
                         // Safe pattern: register notified BEFORE checking the condition
@@ -479,12 +577,11 @@ async fn handle_hub_frame(
                         }
                         if stream_token.is_cancelled() { break; }
 
-                        // Proactive QoS: clamp send_window to current adaptive target so existing
-                        // streams converge immediately when concurrency increases (no drain cycle).
-                        let adaptive_target = remoteingress_protocol::compute_window_for_stream_count(
-                            stream_counter.load(Ordering::Relaxed),
-                        );
-                        let w = remoteingress_protocol::clamp_send_window(&send_window, adaptive_target) as usize;
+                        // Limit read size to available window.
+                        // IMPORTANT: if window is 0 (stall timeout fired), we must NOT
+                        // read into an empty buffer — read(&mut buf[..0]) returns Ok(0)
+                        // which would be falsely interpreted as EOF.
+                        let w = send_window.load(Ordering::Acquire) as usize;
                         if w == 0 {
                             log::warn!("Stream {} download: window still 0 after stall timeout, closing", stream_id);
                             break;
@@ -499,8 +596,21 @@ async fn handle_hub_frame(
                                         send_window.fetch_sub(n as u32, Ordering::Release);
                                         encode_frame_header(&mut buf, stream_id, FRAME_DATA_BACK, n);
                                         let frame = Bytes::copy_from_slice(&buf[..FRAME_HEADER_SIZE + n]);
+                                        // Sustained classification: >2.5 MB/s for >10 seconds
+                                        dl_bytes_sent += n as u64;
+                                        if !is_sustained {
+                                            let elapsed = dl_start.elapsed().as_secs();
+                                            if elapsed >= remoteingress_protocol::SUSTAINED_MIN_DURATION_SECS
+                                                && dl_bytes_sent / elapsed >= remoteingress_protocol::SUSTAINED_THRESHOLD_BPS
+                                            {
+                                                is_sustained = true;
+                                                log::debug!("Stream {} classified as sustained (download, {} bytes in {}s)",
+                                                    stream_id, dl_bytes_sent, elapsed);
+                                            }
+                                        }
+                                        let tx = if is_sustained { &sustained_writer_tx } else { &data_writer_tx };
                                         let sent = tokio::select! {
-                                            result = data_writer_tx.send(frame) => result.is_ok(),
+                                            result = tx.send(frame) => result.is_ok(),
                                             _ = stream_token.cancelled() => false,
                                         };
                                         if !sent { break; }
@@ -512,12 +622,13 @@ async fn handle_hub_frame(
                         }
                     }
 
-                    // Send CLOSE_BACK via DATA channel (must arrive AFTER last DATA_BACK).
+                    // Send CLOSE_BACK via same channel as DATA_BACK (must arrive AFTER last DATA_BACK).
                     // select! with cancellation guard prevents indefinite blocking if tunnel dies.
                     if !stream_token.is_cancelled() {
                         let close_frame = encode_frame(stream_id, FRAME_CLOSE_BACK, &[]);
+                        let tx = if is_sustained { &sustained_writer_tx } else { &data_writer_tx };
                         tokio::select! {
-                            _ = data_writer_tx.send(close_frame) => {}
+                            _ = tx.send(close_frame) => {}
                             _ = stream_token.cancelled() => {}
                         }
                     }
@@ -529,7 +640,9 @@ async fn handle_hub_frame(
 
                 if let Err(e) = result {
                     log::error!("Stream {} error: {}", stream_id, e);
-                    // Send CLOSE_BACK via DATA channel on error (must arrive after any DATA_BACK).
+                    // Send CLOSE_BACK on error (must arrive after any DATA_BACK).
+                    // Error path: is_sustained not available here, use data channel (safe —
+                    // if error occurs before classification, no sustained frames were sent).
                     if !stream_token.is_cancelled() {
                         let close_frame = encode_frame(stream_id, FRAME_CLOSE_BACK, &[]);
                         tokio::select! {
@@ -585,6 +698,103 @@ async fn handle_hub_frame(
         FRAME_PONG => {
             log::debug!("Received PONG from edge {}", edge_id);
         }
+        FRAME_UDP_OPEN => {
+            // Open a UDP session: parse PROXY v2 header, connect upstream, start forwarding
+            let stream_id = frame.stream_id;
+            let dest_port = parse_dest_port_from_proxy_v2(&frame.payload).unwrap_or(53);
+            let target = target_host.to_string();
+            let data_writer_tx = data_tx.clone();
+            let session_token = edge_token.child_token();
+            let edge_id_str = edge_id.to_string();
+            let proxy_v2_header = frame.payload.clone();
+
+            // Channel for forwarding datagrams from edge to upstream
+            let (udp_tx, mut udp_rx) = mpsc::channel::<Bytes>(256);
+            udp_sessions.insert(stream_id, HubUdpSessionState {
+                data_tx: udp_tx,
+                cancel_token: session_token.clone(),
+            });
+
+            // Spawn upstream UDP forwarder
+            tokio::spawn(async move {
+                let upstream = match UdpSocket::bind("0.0.0.0:0").await {
+                    Ok(s) => s,
+                    Err(e) => {
+                        log::error!("UDP session {} failed to bind: {}", stream_id, e);
+                        return;
+                    }
+                };
+                if let Err(e) = upstream.connect((target.as_str(), dest_port)).await {
+                    log::error!("UDP session {} failed to connect to {}:{}: {}", stream_id, target, dest_port, e);
+                    return;
+                }
+
+                // Send PROXY v2 header as first datagram so SmartProxy knows the original client
+                if let Err(e) = upstream.send(&proxy_v2_header).await {
+                    log::error!("UDP session {} failed to send PROXY v2 header: {}", stream_id, e);
+                    return;
+                }
+
+                // Task: upstream -> edge (return datagrams)
+                let upstream_recv = Arc::new(upstream);
+                let upstream_send = upstream_recv.clone();
+                let recv_token = session_token.clone();
+                let recv_handle = tokio::spawn(async move {
+                    let mut buf = vec![0u8; 65536];
+                    loop {
+                        tokio::select! {
+                            result = upstream_recv.recv(&mut buf) => {
+                                match result {
+                                    Ok(len) => {
+                                        let frame = encode_frame(stream_id, FRAME_UDP_DATA_BACK, &buf[..len]);
+                                        if data_writer_tx.try_send(frame).is_err() {
+                                            break;
+                                        }
+                                    }
+                                    Err(e) => {
+                                        log::debug!("UDP session {} upstream recv error: {}", stream_id, e);
+                                        break;
+                                    }
+                                }
+                            }
+                            _ = recv_token.cancelled() => break,
+                        }
+                    }
+                });
+
+                // Forward datagrams from edge to upstream
+                loop {
+                    tokio::select! {
+                        data = udp_rx.recv() => {
+                            match data {
+                                Some(datagram) => {
+                                    if let Err(e) = upstream_send.send(&datagram).await {
+                                        log::debug!("UDP session {} upstream send error: {}", stream_id, e);
+                                        break;
+                                    }
+                                }
+                                None => break,
+                            }
+                        }
+                        _ = session_token.cancelled() => break,
+                    }
+                }
+
+                recv_handle.abort();
+                log::debug!("UDP session {} closed for edge {}", stream_id, edge_id_str);
+            });
+        }
+        FRAME_UDP_DATA => {
+            // Forward datagram to upstream
+            if let Some(state) = udp_sessions.get(&frame.stream_id) {
+                let _ = state.data_tx.try_send(frame.payload);
+            }
+        }
+        FRAME_UDP_CLOSE => {
+            if let Some(state) = udp_sessions.remove(&frame.stream_id) {
+                state.cancel_token.cancel();
+            }
+        }
         _ => {
             log::warn!("Unexpected frame type {} from edge", frame.frame_type);
         }
@@ -641,14 +851,14 @@ async fn handle_edge_connection(
     let secret = parts[2];
 
     // Verify credentials and extract edge config
-    let (listen_ports, stun_interval_secs) = {
+    let (listen_ports, listen_ports_udp, stun_interval_secs) = {
         let edges = allowed.read().await;
         match edges.get(&edge_id) {
             Some(edge) => {
                 if !constant_time_eq(secret.as_bytes(), edge.secret.as_bytes()) {
                     return Err(format!("invalid secret for edge {}", edge_id).into());
                 }
-                (edge.listen_ports.clone(), edge.stun_interval_secs.unwrap_or(300))
+                (edge.listen_ports.clone(), edge.listen_ports_udp.clone(), edge.stun_interval_secs.unwrap_or(300))
             }
             None => {
                 return Err(format!("unknown edge {}", edge_id).into());
@@ -665,6 +875,7 @@ async fn handle_edge_connection(
     // Send handshake response with initial config before frame protocol begins
     let handshake = HandshakeResponse {
         listen_ports: listen_ports.clone(),
+        listen_ports_udp: listen_ports_udp.clone(),
         stun_interval_secs,
     };
     let mut handshake_json = serde_json::to_string(&handshake)?;
@@ -674,6 +885,7 @@ async fn handle_edge_connection(
 
     // Track this edge
     let mut streams: HashMap<u32, HubStreamState> = HashMap::new();
+    let mut udp_sessions: HashMap<u32, HubUdpSessionState> = HashMap::new();
     // Per-edge active stream counter for adaptive flow control
     let edge_stream_count = Arc::new(AtomicU32::new(0));
     // Cleanup channel: spawned stream tasks send stream_id here when done
@@ -709,8 +921,9 @@ async fn handle_edge_connection(
 
     // QoS dual-channel: ctrl frames have priority over data frames.
     // Stream handlers send through these channels -> TunnelIo drains them.
-    let (ctrl_tx, mut ctrl_rx) = mpsc::channel::<Bytes>(256);
+    let (ctrl_tx, mut ctrl_rx) = mpsc::channel::<Bytes>(512);
     let (data_tx, mut data_rx) = mpsc::channel::<Bytes>(4096);
+    let (sustained_tx, mut sustained_rx) = mpsc::channel::<Bytes>(4096);
 
     // Spawn task to forward config updates as FRAME_CONFIG frames
     let config_writer_tx = ctrl_tx.clone();
@@ -783,8 +996,9 @@ async fn handle_edge_connection(
             last_activity = Instant::now();
             liveness_deadline.as_mut().reset(last_activity + liveness_timeout_dur);
             if let FrameAction::Disconnect(reason) = handle_hub_frame(
-                frame, &mut tunnel_io, &mut streams, &stream_semaphore, &edge_stream_count,
-                &edge_id, &event_tx, &ctrl_tx, &data_tx, &target_host, &edge_token,
+                frame, &mut tunnel_io, &mut streams, &mut udp_sessions,
+                &stream_semaphore, &edge_stream_count,
+                &edge_id, &event_tx, &ctrl_tx, &data_tx, &sustained_tx, &target_host, &edge_token,
                 &cleanup_tx,
             ).await {
                 disconnect_reason = reason;
@@ -798,7 +1012,7 @@ async fn handle_edge_connection(
             if ping_ticker.poll_tick(cx).is_ready() {
                 tunnel_io.queue_ctrl(encode_frame(0, FRAME_PING, &[]));
             }
-            tunnel_io.poll_step(cx, &mut ctrl_rx, &mut data_rx, &mut liveness_deadline, &edge_token)
+            tunnel_io.poll_step(cx, &mut ctrl_rx, &mut data_rx, &mut sustained_rx, &mut liveness_deadline, &edge_token)
         }).await;
 
         match event {
@@ -806,8 +1020,9 @@ async fn handle_edge_connection(
                 last_activity = Instant::now();
                 liveness_deadline.as_mut().reset(last_activity + liveness_timeout_dur);
                 if let FrameAction::Disconnect(reason) = handle_hub_frame(
-                    frame, &mut tunnel_io, &mut streams, &stream_semaphore, &edge_stream_count,
-                    &edge_id, &event_tx, &ctrl_tx, &data_tx, &target_host, &edge_token,
+                    frame, &mut tunnel_io, &mut streams, &mut udp_sessions,
+                    &stream_semaphore, &edge_stream_count,
+                    &edge_id, &event_tx, &ctrl_tx, &data_tx, &sustained_tx, &target_host, &edge_token,
                     &cleanup_tx,
                 ).await {
                     disconnect_reason = reason;
@@ -878,6 +1093,20 @@ fn parse_dest_port_from_proxy(header: &str) -> Option<u16> {
     }
 }
 
+/// Parse destination port from a PROXY protocol v2 binary header.
+/// The header must be at least 28 bytes (16 fixed + 12 IPv4 address block).
+/// Dest port is at bytes 26-27 (network byte order).
+fn parse_dest_port_from_proxy_v2(header: &[u8]) -> Option<u16> {
+    if header.len() < 28 {
+        return None;
+    }
+    // Verify signature
+    if header[0..12] != remoteingress_protocol::PROXY_V2_SIGNATURE {
+        return None;
+    }
+    Some(u16::from_be_bytes([header[26], header[27]]))
+}
+
 /// Build TLS server config from PEM strings, or auto-generate self-signed.
 fn build_tls_config(
     config: &HubConfig,
@@ -935,6 +1164,488 @@ fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
     diff == 0
 }
 
+// ===== QUIC transport functions for hub =====
+
+/// Handle an edge connection arriving via QUIC.
+/// The first bidirectional stream is the control stream (auth + config).
+/// Subsequent bidirectional streams are tunneled client connections.
+async fn handle_edge_connection_quic(
+    quic_conn: quinn::Connection,
+    allowed: Arc<RwLock<HashMap<String, AllowedEdge>>>,
+    connected: Arc<Mutex<HashMap<String, ConnectedEdgeInfo>>>,
+    event_tx: mpsc::Sender<HubEvent>,
+    target_host: String,
+    edge_token: CancellationToken,
+    peer_addr: String,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    log::info!("QUIC edge connection from {}", peer_addr);
+
+    // Accept the control stream (first bidirectional stream from edge)
+    let (mut ctrl_send, mut ctrl_recv) = match quic_conn.accept_bi().await {
+        Ok(s) => s,
+        Err(e) => return Err(format!("QUIC control stream accept failed: {}", e).into()),
+    };
+
+    // Read auth line from control stream
+    let mut auth_buf = Vec::with_capacity(512);
+    loop {
+        let mut byte = [0u8; 1];
+        match ctrl_recv.read_exact(&mut byte).await {
+            Ok(()) => {
+                if byte[0] == b'\n' { break; }
+                auth_buf.push(byte[0]);
+                if auth_buf.len() > 4096 {
+                    return Err("QUIC auth line too long".into());
+                }
+            }
+            Err(e) => return Err(format!("QUIC auth read failed: {}", e).into()),
+        }
+    }
+    let auth_line = String::from_utf8(auth_buf)
+        .map_err(|_| "QUIC auth line not valid UTF-8")?;
+    let auth_line = auth_line.trim();
+
+    let parts: Vec<&str> = auth_line.splitn(3, ' ').collect();
+    if parts.len() != 3 || parts[0] != "EDGE" {
+        return Err("invalid QUIC auth line".into());
+    }
+
+    let edge_id = parts[1].to_string();
+    let secret = parts[2];
+
+    // Verify credentials
+    let (listen_ports, listen_ports_udp, stun_interval_secs) = {
+        let edges = allowed.read().await;
+        match edges.get(&edge_id) {
+            Some(edge) => {
+                if !constant_time_eq(secret.as_bytes(), edge.secret.as_bytes()) {
+                    return Err(format!("invalid secret for edge {}", edge_id).into());
+                }
+                (edge.listen_ports.clone(), edge.listen_ports_udp.clone(), edge.stun_interval_secs.unwrap_or(300))
+            }
+            None => return Err(format!("unknown edge {}", edge_id).into()),
+        }
+    };
+
+    log::info!("QUIC edge {} authenticated from {}", edge_id, peer_addr);
+    let _ = event_tx.try_send(HubEvent::EdgeConnected {
+        edge_id: edge_id.clone(),
+        peer_addr: peer_addr.clone(),
+    });
+
+    // Send handshake response on control stream
+    let handshake = HandshakeResponse {
+        listen_ports: listen_ports.clone(),
+        listen_ports_udp: listen_ports_udp.clone(),
+        stun_interval_secs,
+    };
+    let mut handshake_json = serde_json::to_string(&handshake)?;
+    handshake_json.push('\n');
+    ctrl_send.write_all(handshake_json.as_bytes()).await
+        .map_err(|e| format!("QUIC handshake write failed: {}", e))?;
+
+    // Track this edge
+    let edge_stream_count = Arc::new(AtomicU32::new(0));
+    let now = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs();
+
+    let (config_tx, mut config_rx) = mpsc::channel::<EdgeConfigUpdate>(16);
+
+    {
+        let mut edges = connected.lock().await;
+        if let Some(old) = edges.remove(&edge_id) {
+            log::info!("QUIC edge {} reconnected, cancelling old connection", edge_id);
+            old.cancel_token.cancel();
+        }
+        edges.insert(
+            edge_id.clone(),
+            ConnectedEdgeInfo {
+                connected_at: now,
+                peer_addr,
+                edge_stream_count: edge_stream_count.clone(),
+                config_tx,
+                cancel_token: edge_token.clone(),
+            },
+        );
+    }
+
+    let stream_semaphore = Arc::new(Semaphore::new(MAX_STREAMS_PER_EDGE));
+
+    // Spawn task to accept data streams (tunneled client connections)
+    let data_stream_conn = quic_conn.clone();
+    let data_target = target_host.clone();
+    let data_edge_id = edge_id.clone();
+    let data_event_tx = event_tx.clone();
+    let data_semaphore = stream_semaphore.clone();
+    let data_stream_count = edge_stream_count.clone();
+    let data_token = edge_token.clone();
+    let data_handle = tokio::spawn(async move {
+        let mut stream_id_counter: u32 = 0;
+        loop {
+            tokio::select! {
+                bi_result = data_stream_conn.accept_bi() => {
+                    match bi_result {
+                        Ok((quic_send, quic_recv)) => {
+                            // Check stream limit
+                            let permit = match data_semaphore.clone().try_acquire_owned() {
+                                Ok(p) => p,
+                                Err(_) => {
+                                    log::warn!("QUIC edge {} exceeded max streams, rejecting", data_edge_id);
+                                    // Drop the streams to reject
+                                    drop(quic_send);
+                                    drop(quic_recv);
+                                    continue;
+                                }
+                            };
+
+                            stream_id_counter += 1;
+                            let stream_id = stream_id_counter;
+                            let target = data_target.clone();
+                            let edge_id = data_edge_id.clone();
+                            let event_tx = data_event_tx.clone();
+                            let stream_count = data_stream_count.clone();
+                            let stream_token = data_token.child_token();
+
+                            let _ = event_tx.try_send(HubEvent::StreamOpened {
+                                edge_id: edge_id.clone(),
+                                stream_id,
+                            });
+
+                            stream_count.fetch_add(1, Ordering::Relaxed);
+                            tokio::spawn(async move {
+                                let _permit = permit;
+                                handle_quic_stream(
+                                    quic_send, quic_recv, stream_id,
+                                    &target, &edge_id, stream_token,
+                                ).await;
+                                stream_count.fetch_sub(1, Ordering::Relaxed);
+                                let _ = event_tx.try_send(HubEvent::StreamClosed {
+                                    edge_id,
+                                    stream_id,
+                                });
+                            });
+                        }
+                        Err(e) => {
+                            log::info!("QUIC edge {} accept_bi ended: {}", data_edge_id, e);
+                            break;
+                        }
+                    }
+                }
+                _ = data_token.cancelled() => break,
+            }
+        }
+    });
+
+    // UDP sessions for QUIC datagram transport
+    let quic_udp_sessions: Arc<Mutex<HashMap<u32, mpsc::Sender<Bytes>>>> =
+        Arc::new(Mutex::new(HashMap::new()));
+
+    // Spawn QUIC datagram receiver task
+    let dgram_conn = quic_conn.clone();
+    let dgram_sessions = quic_udp_sessions.clone();
+    let dgram_target = target_host.clone();
+    let dgram_edge_id = edge_id.clone();
+    let dgram_token = edge_token.clone();
+    let dgram_handle = tokio::spawn(async move {
+        loop {
+            tokio::select! {
+                datagram = dgram_conn.read_datagram() => {
+                    match datagram {
+                        Ok(data) => {
+                            if data.len() < 4 { continue; }
+                            let session_id = u32::from_be_bytes([data[0], data[1], data[2], data[3]]);
+                            let payload = &data[4..];
+
+                            // Check for OPEN magic byte (0xFF)
+                            if !payload.is_empty() && payload[0] == 0xFF {
+                                // This is a session OPEN: [0xFF][proxy_v2_header:28]
+                                let proxy_data = &payload[1..];
+                                let dest_port = if proxy_data.len() >= 28 {
+                                    u16::from_be_bytes([proxy_data[26], proxy_data[27]])
+                                } else {
+                                    53 // fallback
+                                };
+
+                                // Create upstream UDP socket
+                                let target = dgram_target.clone();
+                                let conn = dgram_conn.clone();
+                                let sessions = dgram_sessions.clone();
+                                let session_token = dgram_token.child_token();
+                                let (tx, mut rx) = mpsc::channel::<Bytes>(256);
+                                let proxy_v2_data: Vec<u8> = proxy_data.to_vec();
+
+                                {
+                                    let mut s = sessions.lock().await;
+                                    s.insert(session_id, tx);
+                                }
+
+                                tokio::spawn(async move {
+                                    let upstream = match UdpSocket::bind("0.0.0.0:0").await {
+                                        Ok(s) => Arc::new(s),
+                                        Err(e) => {
+                                            log::error!("QUIC UDP session {} bind failed: {}", session_id, e);
+                                            return;
+                                        }
+                                    };
+                                    if let Err(e) = upstream.connect((target.as_str(), dest_port)).await {
+                                        log::error!("QUIC UDP session {} connect failed: {}", session_id, e);
+                                        return;
+                                    }
+
+                                    // Send PROXY v2 header as first datagram so SmartProxy knows the original client
+                                    if let Err(e) = upstream.send(&proxy_v2_data).await {
+                                        log::error!("QUIC UDP session {} failed to send PROXY v2 header: {}", session_id, e);
+                                        return;
+                                    }
+
+                                    // Upstream recv → QUIC datagram back to edge
+                                    let upstream_recv = upstream.clone();
+                                    let recv_conn = conn.clone();
+                                    let recv_token = session_token.clone();
+                                    let recv_handle = tokio::spawn(async move {
+                                        let mut buf = vec![0u8; 65536];
+                                        loop {
+                                            tokio::select! {
+                                                result = upstream_recv.recv(&mut buf) => {
+                                                    match result {
+                                                        Ok(len) => {
+                                                            let mut dgram = Vec::with_capacity(4 + len);
+                                                            dgram.extend_from_slice(&session_id.to_be_bytes());
+                                                            dgram.extend_from_slice(&buf[..len]);
+                                                            let _ = recv_conn.send_datagram(dgram.into());
+                                                        }
+                                                        Err(_) => break,
+                                                    }
+                                                }
+                                                _ = recv_token.cancelled() => break,
+                                            }
+                                        }
+                                    });
+
+                                    // Edge datagrams → upstream
+                                    loop {
+                                        tokio::select! {
+                                            data = rx.recv() => {
+                                                match data {
+                                                    Some(datagram) => {
+                                                        let _ = upstream.send(&datagram).await;
+                                                    }
+                                                    None => break,
+                                                }
+                                            }
+                                            _ = session_token.cancelled() => break,
+                                        }
+                                    }
+                                    recv_handle.abort();
+                                });
+
+                                continue;
+                            }
+
+                            // Regular data datagram — forward to upstream
+                            let sessions = dgram_sessions.lock().await;
+                            if let Some(tx) = sessions.get(&session_id) {
+                                let _ = tx.try_send(Bytes::copy_from_slice(payload));
+                            }
+                        }
+                        Err(e) => {
+                            log::debug!("QUIC datagram recv error from edge {}: {}", dgram_edge_id, e);
+                            break;
+                        }
+                    }
+                }
+                _ = dgram_token.cancelled() => break,
+            }
+        }
+    });
+
+    // Control stream loop: forward config updates and handle PONG
+    let disconnect_reason;
+    loop {
+        tokio::select! {
+            // Send config updates from hub to edge
+            update = config_rx.recv() => {
+                match update {
+                    Some(update) => {
+                        if let Ok(payload) = serde_json::to_vec(&update) {
+                            if let Err(e) = quic_transport::write_ctrl_message(
+                                &mut ctrl_send, quic_transport::CTRL_CONFIG, &payload,
+                            ).await {
+                                log::error!("QUIC config send to edge {} failed: {}", edge_id, e);
+                                disconnect_reason = format!("quic_config_send_failed: {}", e);
+                                break;
+                            }
+                            log::info!("Sent QUIC config update to edge {}: ports {:?}", edge_id, update.listen_ports);
+                        }
+                    }
+                    None => {
+                        disconnect_reason = "config_channel_closed".to_string();
+                        break;
+                    }
+                }
+            }
+            // Read control messages from edge (mainly PONG responses)
+            ctrl_msg = quic_transport::read_ctrl_message(&mut ctrl_recv) => {
+                match ctrl_msg {
+                    Ok(Some((msg_type, _payload))) => {
+                        match msg_type {
+                            quic_transport::CTRL_PONG => {
+                                log::debug!("Received QUIC PONG from edge {}", edge_id);
+                            }
+                            _ => {
+                                log::warn!("Unexpected QUIC control message type {} from edge {}", msg_type, edge_id);
+                            }
+                        }
+                    }
+                    Ok(None) => {
+                        log::info!("QUIC edge {} control stream EOF", edge_id);
+                        disconnect_reason = "quic_ctrl_eof".to_string();
+                        break;
+                    }
+                    Err(e) => {
+                        log::error!("QUIC edge {} control stream error: {}", edge_id, e);
+                        disconnect_reason = format!("quic_ctrl_error: {}", e);
+                        break;
+                    }
+                }
+            }
+            // QUIC connection closed
+            reason = quic_conn.closed() => {
+                log::info!("QUIC connection to edge {} closed: {}", edge_id, reason);
+                disconnect_reason = format!("quic_closed: {}", reason);
+                break;
+            }
+            // Hub-initiated cancellation
+            _ = edge_token.cancelled() => {
+                log::info!("QUIC edge {} cancelled by hub", edge_id);
+                disconnect_reason = "cancelled_by_hub".to_string();
+                break;
+            }
+        }
+    }
+
+    // Cleanup
+    edge_token.cancel();
+    data_handle.abort();
+    dgram_handle.abort();
+    quic_conn.close(quinn::VarInt::from_u32(0), b"hub_shutdown");
+
+    {
+        let mut edges = connected.lock().await;
+        edges.remove(&edge_id);
+    }
+    let _ = event_tx.try_send(HubEvent::EdgeDisconnected {
+        edge_id,
+        reason: disconnect_reason,
+    });
+
+    Ok(())
+}
+
+/// Handle a single tunneled client connection arriving via a QUIC bidirectional stream.
+/// Reads the PROXY header, connects to SmartProxy, and pipes data bidirectionally.
+async fn handle_quic_stream(
+    mut quic_send: quinn::SendStream,
+    mut quic_recv: quinn::RecvStream,
+    stream_id: u32,
+    target_host: &str,
+    _edge_id: &str,
+    stream_token: CancellationToken,
+) {
+    // Read PROXY header from the beginning of the stream
+    let proxy_header = match quic_transport::read_proxy_header(&mut quic_recv).await {
+        Ok(h) => h,
+        Err(e) => {
+            log::error!("QUIC stream {} failed to read PROXY header: {}", stream_id, e);
+            return;
+        }
+    };
+
+    let dest_port = parse_dest_port_from_proxy(&proxy_header).unwrap_or(443);
+
+    // Connect to SmartProxy
+    let mut upstream = match tokio::time::timeout(
+        Duration::from_secs(10),
+        TcpStream::connect((target_host, dest_port)),
+    ).await {
+        Ok(Ok(s)) => s,
+        Ok(Err(e)) => {
+            log::error!("QUIC stream {} connect to {}:{} failed: {}", stream_id, target_host, dest_port, e);
+            return;
+        }
+        Err(_) => {
+            log::error!("QUIC stream {} connect to {}:{} timed out", stream_id, target_host, dest_port);
+            return;
+        }
+    };
+
+    let _ = upstream.set_nodelay(true);
+    // Send PROXY header to SmartProxy
+    if let Err(e) = upstream.write_all(proxy_header.as_bytes()).await {
+        log::error!("QUIC stream {} failed to write PROXY header to upstream: {}", stream_id, e);
+        return;
+    }
+
+    let (mut up_read, mut up_write) = upstream.into_split();
+
+    // Task: QUIC -> upstream (edge data to SmartProxy)
+    let writer_token = stream_token.clone();
+    let writer_task = tokio::spawn(async move {
+        let mut buf = vec![0u8; 32768];
+        loop {
+            tokio::select! {
+                read_result = quic_recv.read(&mut buf) => {
+                    match read_result {
+                        Ok(Some(n)) => {
+                            let write_result = tokio::select! {
+                                r = tokio::time::timeout(
+                                    Duration::from_secs(60),
+                                    up_write.write_all(&buf[..n]),
+                                ) => r,
+                                _ = writer_token.cancelled() => break,
+                            };
+                            match write_result {
+                                Ok(Ok(())) => {}
+                                Ok(Err(_)) => break,
+                                Err(_) => break,
+                            }
+                        }
+                        Ok(None) => break, // QUIC stream finished
+                        Err(_) => break,
+                    }
+                }
+                _ = writer_token.cancelled() => break,
+            }
+        }
+        let _ = up_write.shutdown().await;
+    });
+
+    // Task: upstream -> QUIC (SmartProxy data to edge)
+    let mut buf = vec![0u8; 32768];
+    loop {
+        tokio::select! {
+            read_result = up_read.read(&mut buf) => {
+                match read_result {
+                    Ok(0) => break,
+                    Ok(n) => {
+                        if quic_send.write_all(&buf[..n]).await.is_err() {
+                            break;
+                        }
+                    }
+                    Err(_) => break,
+                }
+            }
+            _ = stream_token.cancelled() => break,
+        }
+    }
+
+    // Gracefully close the QUIC send stream
+    let _ = quic_send.finish();
+    writer_task.abort();
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -1040,6 +1751,7 @@ mod tests {
     fn test_handshake_response_serializes_camel_case() {
         let resp = HandshakeResponse {
             listen_ports: vec![443, 8080],
+            listen_ports_udp: vec![],
             stun_interval_secs: 300,
         };
         let json = serde_json::to_value(&resp).unwrap();
@@ -1054,9 +1766,11 @@ mod tests {
     fn test_edge_config_update_serializes_camel_case() {
         let update = EdgeConfigUpdate {
             listen_ports: vec![80, 443],
+            listen_ports_udp: vec![53],
         };
         let json = serde_json::to_value(&update).unwrap();
         assert_eq!(json["listenPorts"], serde_json::json!([80, 443]));
+        assert_eq!(json["listenPortsUdp"], serde_json::json!([53]));
         assert!(json.get("listen_ports").is_none());
     }
 

rust/crates/remoteingress-core/src/lib.rs

@@ -1,5 +1,7 @@
 pub mod hub;
 pub mod edge;
 pub mod stun;
+pub mod transport;
+pub mod udp_session;
 
 pub use remoteingress_protocol as protocol;

rust/crates/remoteingress-core/src/transport/mod.rs

@@ -0,0 +1,22 @@
+pub mod quic;
+
+use serde::{Deserialize, Serialize};
+
+/// Transport mode for the tunnel connection between edge and hub.
+///
+/// - `TcpTls`: TCP + TLS with frame-based multiplexing via TunnelIo (default).
+/// - `Quic`: QUIC with native stream multiplexing (one QUIC stream per tunneled connection).
+/// - `QuicWithFallback`: Try QUIC first, fall back to TCP+TLS if UDP is blocked.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub enum TransportMode {
+    TcpTls,
+    Quic,
+    QuicWithFallback,
+}
+
+impl Default for TransportMode {
+    fn default() -> Self {
+        TransportMode::TcpTls
+    }
+}

rust/crates/remoteingress-core/src/transport/quic.rs

@@ -0,0 +1,194 @@
+use std::sync::Arc;
+
+/// QUIC control stream message types (reuses frame type constants for consistency).
+pub const CTRL_CONFIG: u8 = 0x06;
+pub const CTRL_PING: u8 = 0x07;
+pub const CTRL_PONG: u8 = 0x08;
+
+/// Header size for control stream messages: [type:1][length:4] = 5 bytes.
+pub const CTRL_HEADER_SIZE: usize = 5;
+
+/// Build a quinn ClientConfig that skips server certificate verification
+/// (auth is via shared secret, same as the TCP+TLS path).
+pub fn build_quic_client_config() -> quinn::ClientConfig {
+    let mut tls_config = rustls::ClientConfig::builder()
+        .dangerous()
+        .with_custom_certificate_verifier(Arc::new(NoCertVerifier))
+        .with_no_client_auth();
+
+    // QUIC mandates ALPN negotiation (RFC 9001 §8.1).
+    // Must match the server's ALPN protocol.
+    tls_config.alpn_protocols = vec![b"remoteingress".to_vec()];
+
+    let quic_config = quinn::crypto::rustls::QuicClientConfig::try_from(tls_config)
+        .expect("failed to build QUIC client config from rustls config");
+
+    let mut transport = quinn::TransportConfig::default();
+    transport.keep_alive_interval(Some(std::time::Duration::from_secs(15)));
+    transport.max_idle_timeout(Some(
+        quinn::IdleTimeout::try_from(std::time::Duration::from_secs(45)).unwrap(),
+    ));
+    // Match MAX_STREAMS_PER_EDGE (1024) from hub.rs.
+    // Default is 100 which is too low for high-concurrency tunneling.
+    transport.max_concurrent_bidi_streams(1024u32.into());
+    // Enable QUIC datagrams (RFC 9221) for low-latency UDP tunneling.
+    transport.datagram_receive_buffer_size(Some(65536));
+
+    let mut client_config = quinn::ClientConfig::new(Arc::new(quic_config));
+    client_config.transport_config(Arc::new(transport));
+    client_config
+}
+
+/// Build a quinn ServerConfig from the same TLS server config used for TCP+TLS.
+pub fn build_quic_server_config(
+    tls_server_config: rustls::ServerConfig,
+) -> Result<quinn::ServerConfig, Box<dyn std::error::Error + Send + Sync>> {
+    let quic_config = quinn::crypto::rustls::QuicServerConfig::try_from(tls_server_config)?;
+
+    let mut transport = quinn::TransportConfig::default();
+    transport.keep_alive_interval(Some(std::time::Duration::from_secs(15)));
+    transport.max_idle_timeout(Some(
+        quinn::IdleTimeout::try_from(std::time::Duration::from_secs(45)).unwrap(),
+    ));
+    transport.max_concurrent_bidi_streams(1024u32.into());
+    transport.datagram_receive_buffer_size(Some(65536));
+
+    let mut server_config = quinn::ServerConfig::with_crypto(Arc::new(quic_config));
+    server_config.transport_config(Arc::new(transport));
+    Ok(server_config)
+}
+
+/// Write a control message to a QUIC send stream.
+/// Format: [type:1][length:4][payload:N]
+pub async fn write_ctrl_message(
+    send: &mut quinn::SendStream,
+    msg_type: u8,
+    payload: &[u8],
+) -> Result<(), std::io::Error> {
+    let len = payload.len() as u32;
+    let mut header = [0u8; CTRL_HEADER_SIZE];
+    header[0] = msg_type;
+    header[1..5].copy_from_slice(&len.to_be_bytes());
+    send.write_all(&header).await?;
+    if !payload.is_empty() {
+        send.write_all(payload).await?;
+    }
+    Ok(())
+}
+
+/// Read a control message from a QUIC recv stream.
+/// Returns (msg_type, payload). Returns None on EOF.
+pub async fn read_ctrl_message(
+    recv: &mut quinn::RecvStream,
+) -> Result<Option<(u8, Vec<u8>)>, std::io::Error> {
+    let mut header = [0u8; CTRL_HEADER_SIZE];
+    match recv.read_exact(&mut header).await {
+        Ok(()) => {}
+        Err(e) => {
+            if let quinn::ReadExactError::FinishedEarly(_) = e {
+                return Ok(None);
+            }
+            return Err(std::io::Error::new(std::io::ErrorKind::Other, e));
+        }
+    }
+    let msg_type = header[0];
+    let len = u32::from_be_bytes([header[1], header[2], header[3], header[4]]) as usize;
+    let mut payload = vec![0u8; len];
+    if len > 0 {
+        recv.read_exact(&mut payload).await.map_err(|e| {
+            std::io::Error::new(std::io::ErrorKind::Other, e)
+        })?;
+    }
+    Ok(Some((msg_type, payload)))
+}
+
+/// Write the PROXY v1 header as the first bytes on a QUIC data stream.
+/// The header is length-prefixed so the receiver knows where it ends and data begins.
+/// Format: [header_len:4][proxy_header:N]
+pub async fn write_proxy_header(
+    send: &mut quinn::SendStream,
+    proxy_header: &str,
+) -> Result<(), std::io::Error> {
+    let header_bytes = proxy_header.as_bytes();
+    let len = header_bytes.len() as u32;
+    send.write_all(&len.to_be_bytes()).await?;
+    send.write_all(header_bytes).await?;
+    Ok(())
+}
+
+/// Read the PROXY v1 header from the first bytes of a QUIC data stream.
+/// Returns the header string.
+pub async fn read_proxy_header(
+    recv: &mut quinn::RecvStream,
+) -> Result<String, std::io::Error> {
+    let mut len_buf = [0u8; 4];
+    recv.read_exact(&mut len_buf).await.map_err(|e| {
+        std::io::Error::new(std::io::ErrorKind::Other, e)
+    })?;
+    let len = u32::from_be_bytes(len_buf) as usize;
+    if len > 8192 {
+        return Err(std::io::Error::new(
+            std::io::ErrorKind::InvalidData,
+            "proxy header too long",
+        ));
+    }
+    let mut header = vec![0u8; len];
+    recv.read_exact(&mut header).await.map_err(|e| {
+        std::io::Error::new(std::io::ErrorKind::Other, e)
+    })?;
+    String::from_utf8(header).map_err(|_| {
+        std::io::Error::new(std::io::ErrorKind::InvalidData, "proxy header not UTF-8")
+    })
+}
+
+/// TLS certificate verifier that accepts any certificate (auth is via shared secret).
+/// Same as the one in edge.rs but placed here so the QUIC module is self-contained.
+#[derive(Debug)]
+struct NoCertVerifier;
+
+impl rustls::client::danger::ServerCertVerifier for NoCertVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &rustls::pki_types::CertificateDer<'_>,
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+        _server_name: &rustls::pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: rustls::pki_types::UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        vec![
+            rustls::SignatureScheme::RSA_PKCS1_SHA256,
+            rustls::SignatureScheme::RSA_PKCS1_SHA384,
+            rustls::SignatureScheme::RSA_PKCS1_SHA512,
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
+            rustls::SignatureScheme::ECDSA_NISTP521_SHA512,
+            rustls::SignatureScheme::RSA_PSS_SHA256,
+            rustls::SignatureScheme::RSA_PSS_SHA384,
+            rustls::SignatureScheme::RSA_PSS_SHA512,
+            rustls::SignatureScheme::ED25519,
+            rustls::SignatureScheme::ED448,
+        ]
+    }
+}

rust/crates/remoteingress-core/src/udp_session.rs

@@ -0,0 +1,210 @@
+use std::collections::HashMap;
+use std::net::SocketAddr;
+use tokio::time::Instant;
+
+/// Key identifying a unique UDP "session" (one client endpoint talking to one destination port).
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub struct UdpSessionKey {
+    pub client_addr: SocketAddr,
+    pub dest_port: u16,
+}
+
+/// A single UDP session tracked by the edge.
+pub struct UdpSession {
+    pub stream_id: u32,
+    pub client_addr: SocketAddr,
+    pub dest_port: u16,
+    pub last_activity: Instant,
+}
+
+/// Manages UDP sessions with idle timeout expiry.
+pub struct UdpSessionManager {
+    /// Forward map: session key → session data.
+    sessions: HashMap<UdpSessionKey, UdpSession>,
+    /// Reverse map: stream_id → session key (for dispatching return traffic).
+    by_stream_id: HashMap<u32, UdpSessionKey>,
+    /// Idle timeout duration.
+    idle_timeout: std::time::Duration,
+}
+
+impl UdpSessionManager {
+    pub fn new(idle_timeout: std::time::Duration) -> Self {
+        Self {
+            sessions: HashMap::new(),
+            by_stream_id: HashMap::new(),
+            idle_timeout,
+        }
+    }
+
+    /// Look up an existing session by key. Updates last_activity on hit.
+    pub fn get_mut(&mut self, key: &UdpSessionKey) -> Option<&mut UdpSession> {
+        let session = self.sessions.get_mut(key)?;
+        session.last_activity = Instant::now();
+        Some(session)
+    }
+
+    /// Look up a session's client address by stream_id (for return traffic).
+    pub fn client_addr_for_stream(&self, stream_id: u32) -> Option<SocketAddr> {
+        let key = self.by_stream_id.get(&stream_id)?;
+        self.sessions.get(key).map(|s| s.client_addr)
+    }
+
+    /// Look up a session by stream_id. Updates last_activity on hit.
+    pub fn get_by_stream_id(&mut self, stream_id: u32) -> Option<&mut UdpSession> {
+        let key = self.by_stream_id.get(&stream_id)?;
+        let session = self.sessions.get_mut(key)?;
+        session.last_activity = Instant::now();
+        Some(session)
+    }
+
+    /// Insert a new session. Returns a mutable reference to it.
+    pub fn insert(&mut self, key: UdpSessionKey, stream_id: u32) -> &mut UdpSession {
+        let session = UdpSession {
+            stream_id,
+            client_addr: key.client_addr,
+            dest_port: key.dest_port,
+            last_activity: Instant::now(),
+        };
+        self.by_stream_id.insert(stream_id, key);
+        self.sessions.entry(key).or_insert(session)
+    }
+
+    /// Remove a session by stream_id.
+    pub fn remove_by_stream_id(&mut self, stream_id: u32) -> Option<UdpSession> {
+        if let Some(key) = self.by_stream_id.remove(&stream_id) {
+            self.sessions.remove(&key)
+        } else {
+            None
+        }
+    }
+
+    /// Expire idle sessions. Returns the stream_ids of expired sessions.
+    pub fn expire_idle(&mut self) -> Vec<u32> {
+        let now = Instant::now();
+        let timeout = self.idle_timeout;
+        let expired_keys: Vec<UdpSessionKey> = self
+            .sessions
+            .iter()
+            .filter(|(_, s)| now.duration_since(s.last_activity) >= timeout)
+            .map(|(k, _)| *k)
+            .collect();
+
+        let mut expired_ids = Vec::with_capacity(expired_keys.len());
+        for key in expired_keys {
+            if let Some(session) = self.sessions.remove(&key) {
+                self.by_stream_id.remove(&session.stream_id);
+                expired_ids.push(session.stream_id);
+            }
+        }
+        expired_ids
+    }
+
+    /// Number of active sessions.
+    pub fn len(&self) -> usize {
+        self.sessions.len()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::time::Duration;
+
+    fn addr(port: u16) -> SocketAddr {
+        SocketAddr::from(([127, 0, 0, 1], port))
+    }
+
+    #[test]
+    fn test_insert_and_lookup() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 1);
+
+        assert_eq!(mgr.len(), 1);
+        assert!(mgr.get_mut(&key).is_some());
+        assert_eq!(mgr.get_mut(&key).unwrap().stream_id, 1);
+    }
+
+    #[test]
+    fn test_client_addr_for_stream() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 42);
+
+        assert_eq!(mgr.client_addr_for_stream(42), Some(addr(5000)));
+        assert_eq!(mgr.client_addr_for_stream(99), None);
+    }
+
+    #[test]
+    fn test_remove_by_stream_id() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 1);
+
+        let removed = mgr.remove_by_stream_id(1);
+        assert!(removed.is_some());
+        assert_eq!(mgr.len(), 0);
+        assert!(mgr.get_mut(&key).is_none());
+        assert_eq!(mgr.client_addr_for_stream(1), None);
+    }
+
+    #[test]
+    fn test_remove_nonexistent() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        assert!(mgr.remove_by_stream_id(999).is_none());
+    }
+
+    #[tokio::test]
+    async fn test_expire_idle() {
+        let mut mgr = UdpSessionManager::new(Duration::from_millis(50));
+        let key1 = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        let key2 = UdpSessionKey { client_addr: addr(5001), dest_port: 53 };
+        mgr.insert(key1, 1);
+        mgr.insert(key2, 2);
+
+        // Nothing expired yet
+        assert!(mgr.expire_idle().is_empty());
+        assert_eq!(mgr.len(), 2);
+
+        // Wait for timeout
+        tokio::time::sleep(Duration::from_millis(60)).await;
+
+        let expired = mgr.expire_idle();
+        assert_eq!(expired.len(), 2);
+        assert_eq!(mgr.len(), 0);
+    }
+
+    #[tokio::test]
+    async fn test_activity_prevents_expiry() {
+        let mut mgr = UdpSessionManager::new(Duration::from_millis(100));
+        let key = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        mgr.insert(key, 1);
+
+        // Touch session at 50ms (before 100ms timeout)
+        tokio::time::sleep(Duration::from_millis(50)).await;
+        mgr.get_mut(&key); // refreshes last_activity
+
+        // At 80ms from last touch, should still be alive
+        tokio::time::sleep(Duration::from_millis(80)).await;
+        assert!(mgr.expire_idle().is_empty());
+        assert_eq!(mgr.len(), 1);
+
+        // Wait for full timeout from last activity
+        tokio::time::sleep(Duration::from_millis(30)).await;
+        let expired = mgr.expire_idle();
+        assert_eq!(expired.len(), 1);
+    }
+
+    #[test]
+    fn test_multiple_sessions_same_client_different_ports() {
+        let mut mgr = UdpSessionManager::new(Duration::from_secs(60));
+        let key1 = UdpSessionKey { client_addr: addr(5000), dest_port: 53 };
+        let key2 = UdpSessionKey { client_addr: addr(5000), dest_port: 443 };
+        mgr.insert(key1, 1);
+        mgr.insert(key2, 2);
+
+        assert_eq!(mgr.len(), 2);
+        assert_eq!(mgr.get_mut(&key1).unwrap().stream_id, 1);
+        assert_eq!(mgr.get_mut(&key2).unwrap().stream_id, 2);
+    }
+}

rust/crates/remoteingress-protocol/src/lib.rs

@@ -2,8 +2,10 @@ use std::collections::VecDeque;
 use std::future::Future;
 use std::pin::Pin;
 use std::task::{Context, Poll};
-use bytes::{Bytes, BytesMut};
+use std::time::Duration;
+use bytes::{Bytes, BytesMut, BufMut};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, ReadBuf};
+use tokio::time::Instant;
 
 // Frame type constants
 pub const FRAME_OPEN: u8 = 0x01;
@@ -17,6 +19,12 @@ pub const FRAME_PONG: u8 = 0x08;       // Edge -> Hub: heartbeat response
 pub const FRAME_WINDOW_UPDATE: u8 = 0x09;      // Edge -> Hub: per-stream flow control
 pub const FRAME_WINDOW_UPDATE_BACK: u8 = 0x0A;  // Hub -> Edge: per-stream flow control
 
+// UDP tunnel frame types
+pub const FRAME_UDP_OPEN: u8 = 0x0B;            // Edge -> Hub: open UDP session (payload: PROXY v2 header)
+pub const FRAME_UDP_DATA: u8 = 0x0C;            // Edge -> Hub: UDP datagram
+pub const FRAME_UDP_DATA_BACK: u8 = 0x0D;       // Hub -> Edge: UDP datagram
+pub const FRAME_UDP_CLOSE: u8 = 0x0E;           // Either direction: close UDP session
+
 // Frame header size: 4 (stream_id) + 1 (type) + 4 (length) = 9 bytes
 pub const FRAME_HEADER_SIZE: usize = 9;
 
@@ -24,13 +32,22 @@ pub const FRAME_HEADER_SIZE: usize = 9;
 pub const MAX_PAYLOAD_SIZE: u32 = 16 * 1024 * 1024;
 
 // Per-stream flow control constants
-/// Initial per-stream window size (4 MB). Sized for full throughput at high RTT:
-/// at 100ms RTT, this sustains ~40 MB/s per stream.
+/// Initial (and maximum) per-stream window size (4 MB).
 pub const INITIAL_STREAM_WINDOW: u32 = 4 * 1024 * 1024;
 /// Send WINDOW_UPDATE after consuming this many bytes (half the initial window).
 pub const WINDOW_UPDATE_THRESHOLD: u32 = INITIAL_STREAM_WINDOW / 2;
 /// Maximum window size to prevent overflow.
-pub const MAX_WINDOW_SIZE: u32 = 16 * 1024 * 1024;
+pub const MAX_WINDOW_SIZE: u32 = 4 * 1024 * 1024;
+
+// Sustained stream classification constants
+/// Throughput threshold for sustained classification (2.5 MB/s = 20 Mbit/s).
+pub const SUSTAINED_THRESHOLD_BPS: u64 = 2_500_000;
+/// Minimum duration before a stream can be classified as sustained.
+pub const SUSTAINED_MIN_DURATION_SECS: u64 = 10;
+/// Fixed window for sustained streams (1 MB — the floor).
+pub const SUSTAINED_WINDOW: u32 = 1 * 1024 * 1024;
+/// Maximum bytes written from sustained queue per forced drain (1 MB/s guarantee).
+pub const SUSTAINED_FORCED_DRAIN_CAP: usize = 1_048_576;
 
 /// Encode a WINDOW_UPDATE frame for a specific stream.
 pub fn encode_window_update(stream_id: u32, frame_type: u8, increment: u32) -> Bytes {
@@ -38,36 +55,11 @@ pub fn encode_window_update(stream_id: u32, frame_type: u8, increment: u32) -> B
 }
 
 /// Compute the target per-stream window size based on the number of active streams.
-/// Total memory budget is ~32MB shared across all streams. As more streams are active,
-/// each gets a smaller window. This adapts to current demand — few streams get high
-/// throughput, many streams save memory and reduce control frame pressure.
+/// Total memory budget is ~200MB shared across all streams. Up to 50 streams get the
+/// full 4MB window; above that the window scales down to a 1MB floor at 200+ streams.
 pub fn compute_window_for_stream_count(active: u32) -> u32 {
-    let per_stream = (32 * 1024 * 1024u64) / (active.max(1) as u64);
-    per_stream.clamp(64 * 1024, INITIAL_STREAM_WINDOW as u64) as u32
-}
-
-/// Proactively clamp a send_window AtomicU32 down to at most `target`.
-/// CAS loop so concurrent WINDOW_UPDATE additions are not lost.
-/// Returns the value after clamping.
-#[inline]
-pub fn clamp_send_window(
-    send_window: &std::sync::atomic::AtomicU32,
-    target: u32,
-) -> u32 {
-    loop {
-        let current = send_window.load(std::sync::atomic::Ordering::Acquire);
-        if current <= target {
-            return current;
-        }
-        match send_window.compare_exchange_weak(
-            current, target,
-            std::sync::atomic::Ordering::AcqRel,
-            std::sync::atomic::Ordering::Relaxed,
-        ) {
-            Ok(_) => return target,
-            Err(_) => continue,
-        }
-    }
+    let per_stream = (200 * 1024 * 1024u64) / (active.max(1) as u64);
+    per_stream.clamp(1 * 1024 * 1024, INITIAL_STREAM_WINDOW as u64) as u32
 }
 
 /// Decode a WINDOW_UPDATE payload into a byte increment. Returns None if payload is malformed.
@@ -89,12 +81,12 @@ pub struct Frame {
 /// Encode a frame into bytes: [stream_id:4][type:1][length:4][payload]
 pub fn encode_frame(stream_id: u32, frame_type: u8, payload: &[u8]) -> Bytes {
     let len = payload.len() as u32;
-    let mut buf = Vec::with_capacity(FRAME_HEADER_SIZE + payload.len());
-    buf.extend_from_slice(&stream_id.to_be_bytes());
-    buf.push(frame_type);
-    buf.extend_from_slice(&len.to_be_bytes());
-    buf.extend_from_slice(payload);
-    Bytes::from(buf)
+    let mut buf = BytesMut::with_capacity(FRAME_HEADER_SIZE + payload.len());
+    buf.put_slice(&stream_id.to_be_bytes());
+    buf.put_u8(frame_type);
+    buf.put_slice(&len.to_be_bytes());
+    buf.put_slice(payload);
+    buf.freeze()
 }
 
 /// Write a frame header into `buf[0..FRAME_HEADER_SIZE]`.
@@ -121,6 +113,76 @@ pub fn build_proxy_v1_header(
     )
 }
 
+/// PROXY protocol v2 signature (12 bytes).
+pub const PROXY_V2_SIGNATURE: [u8; 12] = [
+    0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A,
+];
+
+/// Transport protocol for PROXY v2 header.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum ProxyV2Transport {
+    /// TCP (STREAM) — byte 13 low nibble = 0x1
+    Tcp,
+    /// UDP (DGRAM) — byte 13 low nibble = 0x2
+    Udp,
+}
+
+/// Build a PROXY protocol v2 binary header for IPv4.
+///
+/// Returns a 28-byte header:
+/// - 12B signature
+/// - 1B version (0x2) + command (0x1 = PROXY)
+/// - 1B address family (0x1 = AF_INET) + transport (0x1 = TCP, 0x2 = UDP)
+/// - 2B address block length (0x000C = 12)
+/// - 4B source IPv4 address
+/// - 4B destination IPv4 address
+/// - 2B source port
+/// - 2B destination port
+pub fn build_proxy_v2_header(
+    src_ip: &std::net::Ipv4Addr,
+    dst_ip: &std::net::Ipv4Addr,
+    src_port: u16,
+    dst_port: u16,
+    transport: ProxyV2Transport,
+) -> Bytes {
+    let mut buf = BytesMut::with_capacity(28);
+    // Signature (12 bytes)
+    buf.put_slice(&PROXY_V2_SIGNATURE);
+    // Version 2 + PROXY command
+    buf.put_u8(0x21);
+    // AF_INET (0x1) + transport
+    let transport_nibble = match transport {
+        ProxyV2Transport::Tcp => 0x1,
+        ProxyV2Transport::Udp => 0x2,
+    };
+    buf.put_u8(0x10 | transport_nibble);
+    // Address block length: 12 bytes for IPv4
+    buf.put_u16(12);
+    // Source address (4 bytes, network byte order)
+    buf.put_slice(&src_ip.octets());
+    // Destination address (4 bytes, network byte order)
+    buf.put_slice(&dst_ip.octets());
+    // Source port (2 bytes, network byte order)
+    buf.put_u16(src_port);
+    // Destination port (2 bytes, network byte order)
+    buf.put_u16(dst_port);
+    buf.freeze()
+}
+
+/// Build a PROXY protocol v2 binary header from string IP addresses.
+/// Falls back to 0.0.0.0 if parsing fails.
+pub fn build_proxy_v2_header_from_str(
+    src_ip: &str,
+    dst_ip: &str,
+    src_port: u16,
+    dst_port: u16,
+    transport: ProxyV2Transport,
+) -> Bytes {
+    let src: std::net::Ipv4Addr = src_ip.parse().unwrap_or(std::net::Ipv4Addr::UNSPECIFIED);
+    let dst: std::net::Ipv4Addr = dst_ip.parse().unwrap_or(std::net::Ipv4Addr::UNSPECIFIED);
+    build_proxy_v2_header(&src, &dst, src_port, dst_port, transport)
+}
+
 /// Stateful async frame reader that yields `Frame` values from an `AsyncRead`.
 pub struct FrameReader<R> {
     reader: R,
@@ -169,7 +231,7 @@ impl<R: AsyncRead + Unpin> FrameReader<R> {
             ));
         }
 
-        let mut payload = vec![0u8; length as usize];
+        let mut payload = BytesMut::zeroed(length as usize);
         if length > 0 {
             self.reader.read_exact(&mut payload).await?;
         }
@@ -177,7 +239,7 @@ impl<R: AsyncRead + Unpin> FrameReader<R> {
         Ok(Some(Frame {
             stream_id,
             frame_type,
-            payload: Bytes::from(payload),
+            payload: payload.freeze(),
         }))
     }
 
@@ -211,46 +273,60 @@ pub enum TunnelEvent {
 /// Write state extracted into a sub-struct so the borrow checker can see
 /// disjoint field access between `self.write` and `self.stream`.
 struct WriteState {
-    ctrl_queue: VecDeque<Bytes>,   // PONG, WINDOW_UPDATE, CLOSE, OPEN — always first
-    data_queue: VecDeque<Bytes>,   // DATA, DATA_BACK — only when ctrl is empty
-    offset: usize,                 // progress within current frame being written
+    ctrl_queue: VecDeque<Bytes>,      // PONG, WINDOW_UPDATE, CLOSE, OPEN — always first
+    data_queue: VecDeque<Bytes>,      // DATA, DATA_BACK — only when ctrl is empty
+    sustained_queue: VecDeque<Bytes>, // DATA, DATA_BACK from sustained streams — lowest priority
+    offset: usize,                    // progress within current frame being written
     flush_needed: bool,
+    // Sustained starvation prevention: guaranteed 1 MB/s drain
+    sustained_last_drain: Instant,
+    sustained_bytes_this_period: usize,
 }
 
 impl WriteState {
     fn has_work(&self) -> bool {
-        !self.ctrl_queue.is_empty() || !self.data_queue.is_empty()
+        !self.ctrl_queue.is_empty() || !self.data_queue.is_empty() || !self.sustained_queue.is_empty()
     }
 }
 
 /// Single-owner I/O engine for the tunnel TLS connection.
 ///
 /// Owns the TLS stream directly — no `tokio::io::split()`, no mutex.
-/// Uses two priority write queues: ctrl frames (PONG, WINDOW_UPDATE, CLOSE, OPEN)
-/// are ALWAYS written before data frames (DATA, DATA_BACK). This prevents
-/// WINDOW_UPDATE starvation that causes flow control deadlocks.
+/// Uses three priority write queues:
+///   1. ctrl  (PONG, WINDOW_UPDATE, CLOSE, OPEN) — always first
+///   2. data  (DATA, DATA_BACK from normal streams) — when ctrl empty
+///   3. sustained (DATA, DATA_BACK from sustained streams) — lowest priority,
+///      drained freely when ctrl+data empty, or forced 1MB/s when they're not
 pub struct TunnelIo<S> {
     stream: S,
-    // Read state: BytesMut accumulates bytes; split_to extracts frames zero-copy.
-    read_buf: BytesMut,
+    // Read state: accumulate bytes, parse frames incrementally
+    read_buf: Vec<u8>,
+    read_pos: usize,
+    parse_pos: usize,
     // Write state: extracted sub-struct for safe disjoint borrows
     write: WriteState,
 }
 
 impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
     pub fn new(stream: S, initial_data: Vec<u8>) -> Self {
-        let mut read_buf = BytesMut::from(&initial_data[..]);
+        let read_pos = initial_data.len();
+        let mut read_buf = initial_data;
         if read_buf.capacity() < 65536 {
             read_buf.reserve(65536 - read_buf.len());
         }
         Self {
             stream,
             read_buf,
+            read_pos,
+            parse_pos: 0,
             write: WriteState {
                 ctrl_queue: VecDeque::new(),
                 data_queue: VecDeque::new(),
+                sustained_queue: VecDeque::new(),
                 offset: 0,
                 flush_needed: false,
+                sustained_last_drain: Instant::now(),
+                sustained_bytes_this_period: 0,
             },
         }
     }
@@ -265,30 +341,37 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
         self.write.data_queue.push_back(frame);
     }
 
+    /// Queue a lowest-priority sustained data frame.
+    pub fn queue_sustained(&mut self, frame: Bytes) {
+        self.write.sustained_queue.push_back(frame);
+    }
+
     /// Try to parse a complete frame from the read buffer.
-    /// Zero-copy: uses BytesMut::split_to to extract frames without allocating.
+    /// Uses a parse_pos cursor to avoid drain() on every frame.
     pub fn try_parse_frame(&mut self) -> Option<Result<Frame, std::io::Error>> {
-        if self.read_buf.len() < FRAME_HEADER_SIZE {
+        let available = self.read_pos - self.parse_pos;
+        if available < FRAME_HEADER_SIZE {
             return None;
         }
 
+        let base = self.parse_pos;
         let stream_id = u32::from_be_bytes([
-            self.read_buf[0], self.read_buf[1],
-            self.read_buf[2], self.read_buf[3],
+            self.read_buf[base], self.read_buf[base + 1],
+            self.read_buf[base + 2], self.read_buf[base + 3],
         ]);
-        let frame_type = self.read_buf[4];
+        let frame_type = self.read_buf[base + 4];
         let length = u32::from_be_bytes([
-            self.read_buf[5], self.read_buf[6],
-            self.read_buf[7], self.read_buf[8],
+            self.read_buf[base + 5], self.read_buf[base + 6],
+            self.read_buf[base + 7], self.read_buf[base + 8],
         ]);
 
         if length > MAX_PAYLOAD_SIZE {
             let header = [
-                self.read_buf[0], self.read_buf[1],
-                self.read_buf[2], self.read_buf[3],
-                self.read_buf[4], self.read_buf[5],
-                self.read_buf[6], self.read_buf[7],
-                self.read_buf[8],
+                self.read_buf[base], self.read_buf[base + 1],
+                self.read_buf[base + 2], self.read_buf[base + 3],
+                self.read_buf[base + 4], self.read_buf[base + 5],
+                self.read_buf[base + 6], self.read_buf[base + 7],
+                self.read_buf[base + 8],
             ];
             log::error!(
                 "CORRUPT FRAME HEADER: raw={:02x?} stream_id={} type=0x{:02x} length={}",
@@ -301,48 +384,63 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
         }
 
         let total_frame_size = FRAME_HEADER_SIZE + length as usize;
-        if self.read_buf.len() < total_frame_size {
+        if available < total_frame_size {
             return None;
         }
 
-        // Zero-copy extraction: split the frame off the read buffer (O(1) pointer adjustment).
-        // split_to removes the first total_frame_size bytes from read_buf.
-        let mut frame_data = self.read_buf.split_to(total_frame_size);
-        // Split off header, keep only payload. freeze() converts BytesMut → Bytes (O(1)).
-        let payload = frame_data.split_off(FRAME_HEADER_SIZE).freeze();
+        let payload = Bytes::copy_from_slice(
+            &self.read_buf[base + FRAME_HEADER_SIZE..base + total_frame_size],
+        );
+        self.parse_pos += total_frame_size;
+
+        // Compact when parse_pos > half the data to reclaim memory
+        if self.parse_pos > self.read_pos / 2 && self.parse_pos > 0 {
+            self.read_buf.drain(..self.parse_pos);
+            self.read_pos -= self.parse_pos;
+            self.parse_pos = 0;
+        }
 
         Some(Ok(Frame { stream_id, frame_type, payload }))
     }
 
     /// Poll-based I/O step. Returns Ready on events, Pending when idle.
     ///
-    /// Order: write(ctrl→data) → flush → read → channels → timers
+    /// Order: write(ctrl->data->sustained) -> flush -> read -> channels -> timers
     pub fn poll_step(
         &mut self,
         cx: &mut Context<'_>,
         ctrl_rx: &mut tokio::sync::mpsc::Receiver<Bytes>,
         data_rx: &mut tokio::sync::mpsc::Receiver<Bytes>,
+        sustained_rx: &mut tokio::sync::mpsc::Receiver<Bytes>,
         liveness_deadline: &mut Pin<Box<tokio::time::Sleep>>,
         cancel_token: &tokio_util::sync::CancellationToken,
     ) -> Poll<TunnelEvent> {
-        // 1. WRITE: drain ctrl queue first, then data queue.
+        // 1. WRITE: 3-tier priority — ctrl first, then data, then sustained.
+        //    Sustained drains freely when ctrl+data are empty.
         //    Write one frame, set flush_needed, then flush must complete before
         //    writing more. This prevents unbounded TLS session buffer growth.
         //    Safe: `self.write` and `self.stream` are disjoint fields.
         let mut writes = 0;
         while self.write.has_work() && writes < 16 && !self.write.flush_needed {
-            let from_ctrl = !self.write.ctrl_queue.is_empty();
-            let frame = if from_ctrl {
-                self.write.ctrl_queue.front().unwrap()
+            // Pick queue: ctrl > data > sustained
+            let queue_id = if !self.write.ctrl_queue.is_empty() {
+                0 // ctrl
+            } else if !self.write.data_queue.is_empty() {
+                1 // data
             } else {
-                self.write.data_queue.front().unwrap()
+                2 // sustained
+            };
+            let frame = match queue_id {
+                0 => self.write.ctrl_queue.front().unwrap(),
+                1 => self.write.data_queue.front().unwrap(),
+                _ => self.write.sustained_queue.front().unwrap(),
             };
             let remaining = &frame[self.write.offset..];
 
             match Pin::new(&mut self.stream).poll_write(cx, remaining) {
                 Poll::Ready(Ok(0)) => {
-                    log::error!("TunnelIo: poll_write returned 0 (write zero), ctrl_q={} data_q={}",
-                        self.write.ctrl_queue.len(), self.write.data_queue.len());
+                    log::error!("TunnelIo: poll_write returned 0 (write zero), ctrl_q={} data_q={} sustained_q={}",
+                        self.write.ctrl_queue.len(), self.write.data_queue.len(), self.write.sustained_queue.len());
                     return Poll::Ready(TunnelEvent::WriteError(
                         std::io::Error::new(std::io::ErrorKind::WriteZero, "write zero"),
                     ));
@@ -351,21 +449,70 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
                     self.write.offset += n;
                     self.write.flush_needed = true;
                     if self.write.offset >= frame.len() {
-                        if from_ctrl { self.write.ctrl_queue.pop_front(); }
-                        else { self.write.data_queue.pop_front(); }
+                        match queue_id {
+                            0 => { self.write.ctrl_queue.pop_front(); }
+                            1 => { self.write.data_queue.pop_front(); }
+                            _ => {
+                                self.write.sustained_queue.pop_front();
+                                self.write.sustained_last_drain = Instant::now();
+                                self.write.sustained_bytes_this_period = 0;
+                            }
+                        }
                         self.write.offset = 0;
                         writes += 1;
                     }
                 }
                 Poll::Ready(Err(e)) => {
-                    log::error!("TunnelIo: poll_write error: {} (ctrl_q={} data_q={})",
-                        e, self.write.ctrl_queue.len(), self.write.data_queue.len());
+                    log::error!("TunnelIo: poll_write error: {} (ctrl_q={} data_q={} sustained_q={})",
+                        e, self.write.ctrl_queue.len(), self.write.data_queue.len(), self.write.sustained_queue.len());
                     return Poll::Ready(TunnelEvent::WriteError(e));
                 }
                 Poll::Pending => break,
             }
         }
 
+        // 1b. FORCED SUSTAINED DRAIN: when ctrl/data have work but sustained is waiting,
+        //     guarantee at least 1 MB/s by draining up to SUSTAINED_FORCED_DRAIN_CAP
+        //     once per second.
+        if !self.write.sustained_queue.is_empty()
+            && (!self.write.ctrl_queue.is_empty() || !self.write.data_queue.is_empty())
+            && !self.write.flush_needed
+        {
+            let now = Instant::now();
+            if now.duration_since(self.write.sustained_last_drain) >= Duration::from_secs(1) {
+                self.write.sustained_bytes_this_period = 0;
+                self.write.sustained_last_drain = now;
+
+                while !self.write.sustained_queue.is_empty()
+                    && self.write.sustained_bytes_this_period < SUSTAINED_FORCED_DRAIN_CAP
+                    && !self.write.flush_needed
+                {
+                    let frame = self.write.sustained_queue.front().unwrap();
+                    let remaining = &frame[self.write.offset..];
+                    match Pin::new(&mut self.stream).poll_write(cx, remaining) {
+                        Poll::Ready(Ok(0)) => {
+                            return Poll::Ready(TunnelEvent::WriteError(
+                                std::io::Error::new(std::io::ErrorKind::WriteZero, "write zero"),
+                            ));
+                        }
+                        Poll::Ready(Ok(n)) => {
+                            self.write.offset += n;
+                            self.write.flush_needed = true;
+                            self.write.sustained_bytes_this_period += n;
+                            if self.write.offset >= frame.len() {
+                                self.write.sustained_queue.pop_front();
+                                self.write.offset = 0;
+                            }
+                        }
+                        Poll::Ready(Err(e)) => {
+                            return Poll::Ready(TunnelEvent::WriteError(e));
+                        }
+                        Poll::Pending => break,
+                    }
+                }
+            }
+        }
+
         // 2. FLUSH: push encrypted data from TLS session to TCP.
         if self.write.flush_needed {
             match Pin::new(&mut self.stream).poll_flush(cx) {
@@ -385,18 +532,23 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
         //    the waker without re-registering it, causing the task to sleep until a
         //    timer or channel wakes it (potentially 15+ seconds of lost reads).
         loop {
-            // Ensure at least 32KB of writable space
-            let len_before = self.read_buf.len();
-            self.read_buf.resize(len_before + 32768, 0);
-            let mut rbuf = ReadBuf::new(&mut self.read_buf[len_before..]);
+            // Compact if needed to make room for reads
+            if self.parse_pos > 0 && self.read_buf.len() - self.read_pos < 32768 {
+                self.read_buf.drain(..self.parse_pos);
+                self.read_pos -= self.parse_pos;
+                self.parse_pos = 0;
+            }
+            if self.read_buf.len() < self.read_pos + 32768 {
+                self.read_buf.resize(self.read_pos + 32768, 0);
+            }
+            let mut rbuf = ReadBuf::new(&mut self.read_buf[self.read_pos..]);
             match Pin::new(&mut self.stream).poll_read(cx, &mut rbuf) {
                 Poll::Ready(Ok(())) => {
                     let n = rbuf.filled().len();
-                    // Trim back to actual data length
-                    self.read_buf.truncate(len_before + n);
                     if n == 0 {
                         return Poll::Ready(TunnelEvent::Eof);
                     }
+                    self.read_pos += n;
                     if let Some(result) = self.try_parse_frame() {
                         return match result {
                             Ok(frame) => Poll::Ready(TunnelEvent::Frame(frame)),
@@ -407,14 +559,10 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
                     // waker is re-registered when it finally returns Pending.
                 }
                 Poll::Ready(Err(e)) => {
-                    self.read_buf.truncate(len_before);
                     log::error!("TunnelIo: poll_read error: {}", e);
                     return Poll::Ready(TunnelEvent::ReadError(e));
                 }
-                Poll::Pending => {
-                    self.read_buf.truncate(len_before);
-                    break;
-                }
+                Poll::Pending => break,
             }
         }
 
@@ -422,7 +570,7 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
         //    Ctrl frames must never be delayed — always drain fully.
         //    Data frames are gated: keep data in the bounded channel for proper
         //    backpressure when TLS writes are slow. Without this gate, the internal
-        //    data_queue (unbounded VecDeque) grows to hundreds of MB under throttle → OOM.
+        //    data_queue (unbounded VecDeque) grows to hundreds of MB under throttle -> OOM.
         let mut got_new = false;
         loop {
             match ctrl_rx.poll_recv(cx) {
@@ -448,6 +596,16 @@ impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
                 }
             }
         }
+        // Sustained channel: drain when sustained_queue is small (same backpressure pattern).
+        // Channel close is non-fatal — not all connections have sustained streams.
+        if self.write.sustained_queue.len() < 64 {
+            loop {
+                match sustained_rx.poll_recv(cx) {
+                    Poll::Ready(Some(frame)) => { self.write.sustained_queue.push_back(frame); got_new = true; }
+                    Poll::Ready(None) | Poll::Pending => break,
+                }
+            }
+        }
 
         // 5. TIMERS
         if liveness_deadline.as_mut().poll(cx).is_ready() {
@@ -484,14 +642,14 @@ mod tests {
         let mut buf = vec![0u8; FRAME_HEADER_SIZE + payload.len()];
         buf[FRAME_HEADER_SIZE..].copy_from_slice(payload);
         encode_frame_header(&mut buf, 42, FRAME_DATA, payload.len());
-        assert_eq!(buf[..], encode_frame(42, FRAME_DATA, payload)[..]);
+        assert_eq!(buf, &encode_frame(42, FRAME_DATA, payload)[..]);
     }
 
     #[test]
     fn test_encode_frame_header_empty_payload() {
         let mut buf = vec![0u8; FRAME_HEADER_SIZE];
         encode_frame_header(&mut buf, 99, FRAME_CLOSE, 0);
-        assert_eq!(buf[..], encode_frame(99, FRAME_CLOSE, &[])[..]);
+        assert_eq!(buf, &encode_frame(99, FRAME_CLOSE, &[])[..]);
     }
 
     #[test]
@@ -522,6 +680,62 @@ mod tests {
         assert_eq!(header, "PROXY TCP4 1.2.3.4 5.6.7.8 12345 443\r\n");
     }
 
+    #[test]
+    fn test_proxy_v2_header_tcp4() {
+        let src = "198.51.100.10".parse().unwrap();
+        let dst = "203.0.113.25".parse().unwrap();
+        let header = build_proxy_v2_header(&src, &dst, 54321, 8443, ProxyV2Transport::Tcp);
+        assert_eq!(header.len(), 28);
+        // Signature
+        assert_eq!(&header[0..12], &PROXY_V2_SIGNATURE);
+        // Version 2 + PROXY command
+        assert_eq!(header[12], 0x21);
+        // AF_INET + STREAM (TCP)
+        assert_eq!(header[13], 0x11);
+        // Address length = 12
+        assert_eq!(u16::from_be_bytes([header[14], header[15]]), 12);
+        // Source IP: 198.51.100.10
+        assert_eq!(&header[16..20], &[198, 51, 100, 10]);
+        // Dest IP: 203.0.113.25
+        assert_eq!(&header[20..24], &[203, 0, 113, 25]);
+        // Source port: 54321
+        assert_eq!(u16::from_be_bytes([header[24], header[25]]), 54321);
+        // Dest port: 8443
+        assert_eq!(u16::from_be_bytes([header[26], header[27]]), 8443);
+    }
+
+    #[test]
+    fn test_proxy_v2_header_udp4() {
+        let src = "10.0.0.1".parse().unwrap();
+        let dst = "10.0.0.2".parse().unwrap();
+        let header = build_proxy_v2_header(&src, &dst, 12345, 53, ProxyV2Transport::Udp);
+        assert_eq!(header.len(), 28);
+        assert_eq!(header[12], 0x21); // v2, PROXY
+        assert_eq!(header[13], 0x12); // AF_INET + DGRAM (UDP)
+        assert_eq!(&header[16..20], &[10, 0, 0, 1]); // src
+        assert_eq!(&header[20..24], &[10, 0, 0, 2]); // dst
+        assert_eq!(u16::from_be_bytes([header[24], header[25]]), 12345);
+        assert_eq!(u16::from_be_bytes([header[26], header[27]]), 53);
+    }
+
+    #[test]
+    fn test_proxy_v2_header_from_str() {
+        let header = build_proxy_v2_header_from_str("1.2.3.4", "5.6.7.8", 1000, 443, ProxyV2Transport::Tcp);
+        assert_eq!(header.len(), 28);
+        assert_eq!(&header[16..20], &[1, 2, 3, 4]);
+        assert_eq!(&header[20..24], &[5, 6, 7, 8]);
+    }
+
+    #[test]
+    fn test_proxy_v2_header_from_str_invalid_ip() {
+        let header = build_proxy_v2_header_from_str("not-an-ip", "also-not", 1000, 443, ProxyV2Transport::Udp);
+        assert_eq!(header.len(), 28);
+        // Falls back to 0.0.0.0
+        assert_eq!(&header[16..20], &[0, 0, 0, 0]);
+        assert_eq!(&header[20..24], &[0, 0, 0, 0]);
+        assert_eq!(header[13], 0x12); // UDP
+    }
+
     #[tokio::test]
     async fn test_frame_reader() {
         let frame1 = encode_frame(1, FRAME_OPEN, b"PROXY TCP4 1.2.3.4 5.6.7.8 1234 443\r\n");
@@ -696,90 +910,57 @@ mod tests {
 
     #[test]
     fn test_adaptive_window_zero_streams() {
-        // 0 streams treated as 1: 32MB/1 = 32MB → clamped to 4MB max
+        // 0 streams treated as 1: 200MB/1 -> clamped to 4MB max
         assert_eq!(compute_window_for_stream_count(0), INITIAL_STREAM_WINDOW);
     }
 
     #[test]
     fn test_adaptive_window_one_stream() {
-        // 32MB/1 = 32MB → clamped to 4MB max
         assert_eq!(compute_window_for_stream_count(1), INITIAL_STREAM_WINDOW);
     }
 
     #[test]
-    fn test_adaptive_window_at_max_boundary() {
-        // 32MB/8 = 4MB = exactly INITIAL_STREAM_WINDOW
-        assert_eq!(compute_window_for_stream_count(8), INITIAL_STREAM_WINDOW);
+    fn test_adaptive_window_50_streams_full() {
+        // 200MB/50 = 4MB = exactly INITIAL_STREAM_WINDOW
+        assert_eq!(compute_window_for_stream_count(50), INITIAL_STREAM_WINDOW);
     }
 
     #[test]
-    fn test_adaptive_window_just_below_max() {
-        // 32MB/9 = 3,728,270 — first value below INITIAL_STREAM_WINDOW
-        let w = compute_window_for_stream_count(9);
+    fn test_adaptive_window_51_streams_starts_scaling() {
+        // 200MB/51 < 4MB — first value below max
+        let w = compute_window_for_stream_count(51);
         assert!(w < INITIAL_STREAM_WINDOW);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 9) as u32);
-    }
-
-    #[test]
-    fn test_adaptive_window_16_streams() {
-        // 32MB/16 = 2MB
-        assert_eq!(compute_window_for_stream_count(16), 2 * 1024 * 1024);
+        assert_eq!(w, (200 * 1024 * 1024u64 / 51) as u32);
     }
 
     #[test]
     fn test_adaptive_window_100_streams() {
-        // 32MB/100 = 335,544 bytes (~327KB)
-        let w = compute_window_for_stream_count(100);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 100) as u32);
-        assert!(w > 64 * 1024); // above floor
-        assert!(w < INITIAL_STREAM_WINDOW as u32); // below ceiling
+        // 200MB/100 = 2MB
+        assert_eq!(compute_window_for_stream_count(100), 2 * 1024 * 1024);
     }
 
     #[test]
-    fn test_adaptive_window_200_streams() {
-        // 32MB/200 = 167,772 bytes (~163KB), above 64KB floor
-        let w = compute_window_for_stream_count(200);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 200) as u32);
-        assert!(w > 64 * 1024);
+    fn test_adaptive_window_200_streams_at_floor() {
+        // 200MB/200 = 1MB = exactly the floor
+        assert_eq!(compute_window_for_stream_count(200), 1 * 1024 * 1024);
     }
 
     #[test]
-    fn test_adaptive_window_500_streams() {
-        // 32MB/500 = 67,108 bytes (~65.5KB), just above 64KB floor
-        let w = compute_window_for_stream_count(500);
-        assert_eq!(w, (32 * 1024 * 1024u64 / 500) as u32);
-        assert!(w > 64 * 1024);
-    }
-
-    #[test]
-    fn test_adaptive_window_at_min_boundary() {
-        // 32MB/512 = 65,536 = exactly 64KB floor
-        assert_eq!(compute_window_for_stream_count(512), 64 * 1024);
-    }
-
-    #[test]
-    fn test_adaptive_window_below_min_clamped() {
-        // 32MB/513 = 65,408 → clamped up to 64KB
-        assert_eq!(compute_window_for_stream_count(513), 64 * 1024);
-    }
-
-    #[test]
-    fn test_adaptive_window_1000_streams() {
-        // 32MB/1000 = 33,554 → clamped to 64KB
-        assert_eq!(compute_window_for_stream_count(1000), 64 * 1024);
+    fn test_adaptive_window_500_streams_clamped() {
+        // 200MB/500 = 0.4MB -> clamped up to 1MB floor
+        assert_eq!(compute_window_for_stream_count(500), 1 * 1024 * 1024);
     }
 
     #[test]
     fn test_adaptive_window_max_u32() {
-        // Extreme: u32::MAX streams → tiny value → clamped to 64KB
-        assert_eq!(compute_window_for_stream_count(u32::MAX), 64 * 1024);
+        // Extreme: u32::MAX streams -> tiny value -> clamped to 1MB
+        assert_eq!(compute_window_for_stream_count(u32::MAX), 1 * 1024 * 1024);
     }
 
     #[test]
     fn test_adaptive_window_monotonically_decreasing() {
-        // Window should decrease (or stay same) as stream count increases
         let mut prev = compute_window_for_stream_count(1);
-        for n in [2, 5, 10, 50, 100, 200, 500, 512, 1000] {
+        for n in [2, 10, 50, 51, 100, 200, 500, 1000] {
             let w = compute_window_for_stream_count(n);
             assert!(w <= prev, "window increased from {} to {} at n={}", prev, w, n);
             prev = w;
@@ -788,47 +969,14 @@ mod tests {
 
     #[test]
     fn test_adaptive_window_total_budget_bounded() {
-        // active × per_stream_window should never exceed 32MB (+ clamp overhead for high N)
-        for n in [1, 10, 50, 100, 200, 500] {
+        // active x per_stream_window should never exceed 200MB (+ clamp overhead for high N)
+        for n in [1, 10, 50, 100, 200] {
             let w = compute_window_for_stream_count(n);
             let total = w as u64 * n as u64;
-            assert!(total <= 32 * 1024 * 1024, "total {}MB exceeds budget at n={}", total / (1024*1024), n);
+            assert!(total <= 200 * 1024 * 1024, "total {}MB exceeds budget at n={}", total / (1024*1024), n);
         }
     }
 
-    // --- clamp_send_window tests ---
-
-    #[test]
-    fn test_clamp_send_window_reduces_above_target() {
-        let w = std::sync::atomic::AtomicU32::new(4 * 1024 * 1024); // 4 MB
-        let result = clamp_send_window(&w, 512 * 1024); // target 512 KB
-        assert_eq!(result, 512 * 1024);
-        assert_eq!(w.load(std::sync::atomic::Ordering::Relaxed), 512 * 1024);
-    }
-
-    #[test]
-    fn test_clamp_send_window_noop_below_target() {
-        let w = std::sync::atomic::AtomicU32::new(256 * 1024); // 256 KB
-        let result = clamp_send_window(&w, 512 * 1024); // target 512 KB
-        assert_eq!(result, 256 * 1024);
-        assert_eq!(w.load(std::sync::atomic::Ordering::Relaxed), 256 * 1024);
-    }
-
-    #[test]
-    fn test_clamp_send_window_noop_at_target() {
-        let w = std::sync::atomic::AtomicU32::new(512 * 1024);
-        let result = clamp_send_window(&w, 512 * 1024);
-        assert_eq!(result, 512 * 1024);
-        assert_eq!(w.load(std::sync::atomic::Ordering::Relaxed), 512 * 1024);
-    }
-
-    #[test]
-    fn test_clamp_send_window_zero_value() {
-        let w = std::sync::atomic::AtomicU32::new(0);
-        let result = clamp_send_window(&w, 64 * 1024);
-        assert_eq!(result, 0);
-    }
-
     // --- encode/decode window_update roundtrip ---
 
     #[test]

test/test.flowcontrol.node.ts

@@ -315,7 +315,7 @@ let echoServer: TrackingServer;
 let hubPort: number;
 let edgePort: number;
 
-tap.test('setup: start echo server and tunnel', async () => {
+tap.test('TCP/TLS setup: start TCP echo server and TCP+TLS tunnel', async () => {
   [hubPort, edgePort] = await findFreePorts(2);
 
   echoServer = await startEchoServer(edgePort, '127.0.0.2');
@@ -324,7 +324,7 @@ tap.test('setup: start echo server and tunnel', async () => {
   expect(tunnel.hub.running).toBeTrue();
 });
 
-tap.test('single stream: 32MB transfer exceeding initial 4MB window', async () => {
+tap.test('TCP/TLS: single TCP stream — 32MB transfer exceeding initial 4MB window', async () => {
   const size = 32 * 1024 * 1024;
   const data = crypto.randomBytes(size);
   const expectedHash = sha256(data);
@@ -335,7 +335,7 @@ tap.test('single stream: 32MB transfer exceeding initial 4MB window', async () =
   expect(sha256(received)).toEqual(expectedHash);
 });
 
-tap.test('200 concurrent streams with 64KB each', async () => {
+tap.test('TCP/TLS: 200 concurrent TCP streams x 64KB each', async () => {
   const streamCount = 200;
   const payloadSize = 64 * 1024;
 
@@ -355,7 +355,7 @@ tap.test('200 concurrent streams with 64KB each', async () => {
   expect(failures.length).toEqual(0);
 });
 
-tap.test('512 concurrent streams at minimum window boundary (16KB each)', async () => {
+tap.test('TCP/TLS: 512 concurrent TCP streams at minimum window boundary (16KB each)', async () => {
   const streamCount = 512;
   const payloadSize = 16 * 1024;
 
@@ -375,7 +375,7 @@ tap.test('512 concurrent streams at minimum window boundary (16KB each)', async
   expect(failures.length).toEqual(0);
 });
 
-tap.test('asymmetric transfer: 4KB request -> 4MB response', async () => {
+tap.test('TCP/TLS: asymmetric TCP transfer — 4KB request -> 4MB response', async () => {
   // Swap to large-response server
   await forceCloseServer(echoServer);
   const responseSize = 4 * 1024 * 1024; // 4 MB
@@ -392,7 +392,7 @@ tap.test('asymmetric transfer: 4KB request -> 4MB response', async () => {
   }
 });
 
-tap.test('100 streams x 1MB each (100MB total exceeding 32MB budget)', async () => {
+tap.test('TCP/TLS: 100 TCP streams x 1MB each (100MB total exceeding 200MB budget)', async () => {
   const streamCount = 100;
   const payloadSize = 1 * 1024 * 1024;
 
@@ -412,7 +412,7 @@ tap.test('100 streams x 1MB each (100MB total exceeding 32MB budget)', async ()
   expect(failures.length).toEqual(0);
 });
 
-tap.test('active stream counter tracks concurrent connections', async () => {
+tap.test('TCP/TLS: active TCP stream counter tracks concurrent connections', async () => {
   const N = 50;
 
   // Open N connections and keep them alive (send data but don't close)
@@ -445,8 +445,8 @@ tap.test('active stream counter tracks concurrent connections', async () => {
   }
 });
 
-tap.test('50 streams x 2MB each (forces multiple window refills per stream)', async () => {
-  // At 50 concurrent streams: adaptive window = 32MB/50 = 655KB per stream
+tap.test('TCP/TLS: 50 TCP streams x 2MB each (forces multiple window refills)', async () => {
+  // At 50 concurrent streams: adaptive window = 200MB/50 = 4MB per stream
   // Each stream sends 2MB → needs ~3 WINDOW_UPDATE refill cycles per stream
   const streamCount = 50;
   const payloadSize = 2 * 1024 * 1024;
@@ -467,7 +467,7 @@ tap.test('50 streams x 2MB each (forces multiple window refills per stream)', as
   expect(failures.length).toEqual(0);
 });
 
-tap.test('teardown: stop tunnel and echo server', async () => {
+tap.test('TCP/TLS teardown: stop tunnel and TCP echo server', async () => {
   await tunnel.cleanup();
   await forceCloseServer(echoServer);
 });

test/test.loadtest.node.ts

@@ -231,7 +231,7 @@ let edgePort: number;
 // Tests
 // ---------------------------------------------------------------------------
 
-tap.test('setup: start throttled tunnel (100 Mbit/s)', async () => {
+tap.test('TCP/TLS setup: start throttled TCP+TLS tunnel (100 Mbit/s)', async () => {
   [hubPort, proxyPort, edgePort] = await findFreePorts(3);
 
   echoServer = await startEchoServer(edgePort, '127.0.0.2');
@@ -271,7 +271,7 @@ tap.test('setup: start throttled tunnel (100 Mbit/s)', async () => {
   expect(status.connected).toBeTrue();
 });
 
-tap.test('throttled: 5 streams x 20MB each through 100Mbit tunnel', async () => {
+tap.test('TCP/TLS throttled: 5 TCP streams x 20MB each through 100Mbit tunnel', async () => {
   const streamCount = 5;
   const payloadSize = 20 * 1024 * 1024; // 20MB per stream = 100MB total round-trip
 
@@ -293,7 +293,7 @@ tap.test('throttled: 5 streams x 20MB each through 100Mbit tunnel', async () =>
   expect(status.connected).toBeTrue();
 });
 
-tap.test('throttled: slow consumer with 20MB does not kill other streams', async () => {
+tap.test('TCP/TLS throttled: slow TCP consumer with 20MB does not kill other streams', async () => {
   // Open a connection that creates download-direction backpressure:
   // send 20MB but DON'T read the response — client TCP receive buffer fills
   const slowSock = net.createConnection({ host: '127.0.0.1', port: edgePort });
@@ -326,7 +326,7 @@ tap.test('throttled: slow consumer with 20MB does not kill other streams', async
   slowSock.destroy();
 });
 
-tap.test('throttled: rapid churn — 3 x 20MB long + 50 x 1MB short streams', async () => {
+tap.test('TCP/TLS throttled: rapid churn — 3 x 20MB long + 50 x 1MB short TCP streams', async () => {
   // 3 long streams (20MB each) running alongside 50 short streams (1MB each)
   const longPayload = crypto.randomBytes(20 * 1024 * 1024);
   const longHash = sha256(longPayload);
@@ -360,7 +360,7 @@ tap.test('throttled: rapid churn — 3 x 20MB long + 50 x 1MB short streams', as
   expect(status.connected).toBeTrue();
 });
 
-tap.test('throttled: 3 burst waves of 5 streams x 20MB each', async () => {
+tap.test('TCP/TLS throttled: 3 burst waves of 5 TCP streams x 20MB each', async () => {
   for (let wave = 0; wave < 3; wave++) {
     const streamCount = 5;
     const payloadSize = 20 * 1024 * 1024; // 20MB per stream = 100MB per wave
@@ -382,7 +382,7 @@ tap.test('throttled: 3 burst waves of 5 streams x 20MB each', async () => {
   }
 });
 
-tap.test('throttled: tunnel still works after all load tests', async () => {
+tap.test('TCP/TLS throttled: TCP tunnel still works after all load tests', async () => {
   const data = crypto.randomBytes(1024);
   const hash = sha256(data);
   const received = await sendAndReceive(edgePort, data, 30000);
@@ -392,7 +392,7 @@ tap.test('throttled: tunnel still works after all load tests', async () => {
   expect(status.connected).toBeTrue();
 });
 
-tap.test('teardown: stop tunnel', async () => {
+tap.test('TCP/TLS teardown: stop throttled tunnel', async () => {
   await edge.stop();
   await hub.stop();
   if (throttle) await throttle.close();

test/test.quic.node.ts

@@ -0,0 +1,283 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import * as net from 'net';
+import * as crypto from 'crypto';
+import { RemoteIngressHub, RemoteIngressEdge } from '../ts/index.js';
+
+// ---------------------------------------------------------------------------
+// Helpers (same patterns as test.flowcontrol.node.ts)
+// ---------------------------------------------------------------------------
+
+async function findFreePorts(count: number): Promise<number[]> {
+  const servers: net.Server[] = [];
+  const ports: number[] = [];
+  for (let i = 0; i < count; i++) {
+    const server = net.createServer();
+    await new Promise<void>((resolve) => server.listen(0, '127.0.0.1', resolve));
+    ports.push((server.address() as net.AddressInfo).port);
+    servers.push(server);
+  }
+  await Promise.all(servers.map((s) => new Promise<void>((resolve) => s.close(() => resolve()))));
+  return ports;
+}
+
+type TrackingServer = net.Server & { destroyAll: () => void };
+
+function startEchoServer(port: number, host: string): Promise<TrackingServer> {
+  return new Promise((resolve, reject) => {
+    const connections = new Set<net.Socket>();
+    const server = net.createServer((socket) => {
+      connections.add(socket);
+      socket.on('close', () => connections.delete(socket));
+      let proxyHeaderParsed = false;
+      let pendingBuf = Buffer.alloc(0);
+      socket.on('data', (data: Buffer) => {
+        if (!proxyHeaderParsed) {
+          pendingBuf = Buffer.concat([pendingBuf, data]);
+          const idx = pendingBuf.indexOf('\r\n');
+          if (idx !== -1) {
+            proxyHeaderParsed = true;
+            const remainder = pendingBuf.subarray(idx + 2);
+            if (remainder.length > 0) socket.write(remainder);
+          }
+          return;
+        }
+        socket.write(data);
+      });
+      socket.on('error', () => {});
+    }) as TrackingServer;
+    server.destroyAll = () => {
+      for (const conn of connections) conn.destroy();
+      connections.clear();
+    };
+    server.on('error', reject);
+    server.listen(port, host, () => resolve(server));
+  });
+}
+
+async function forceCloseServer(server: TrackingServer): Promise<void> {
+  server.destroyAll();
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+}
+
+interface TestTunnel {
+  hub: RemoteIngressHub;
+  edge: RemoteIngressEdge;
+  edgePort: number;
+  cleanup: () => Promise<void>;
+}
+
+/**
+ * Start a full hub + edge tunnel using QUIC transport.
+ * Edge binds to 127.0.0.1, upstream server binds to 127.0.0.2.
+ */
+async function startQuicTunnel(edgePort: number, hubPort: number): Promise<TestTunnel> {
+  const hub = new RemoteIngressHub();
+  const edge = new RemoteIngressEdge();
+
+  await hub.start({
+    tunnelPort: hubPort,
+    targetHost: '127.0.0.2',
+  });
+
+  await hub.updateAllowedEdges([
+    { id: 'test-edge', secret: 'test-secret', listenPorts: [edgePort] },
+  ]);
+
+  const connectedPromise = new Promise<void>((resolve, reject) => {
+    const timeout = setTimeout(() => reject(new Error('QUIC edge did not connect within 10s')), 10000);
+    edge.once('tunnelConnected', () => {
+      clearTimeout(timeout);
+      resolve();
+    });
+  });
+
+  await edge.start({
+    hubHost: '127.0.0.1',
+    hubPort,
+    edgeId: 'test-edge',
+    secret: 'test-secret',
+    bindAddress: '127.0.0.1',
+    transportMode: 'quic',
+  });
+
+  await connectedPromise;
+  await new Promise((resolve) => setTimeout(resolve, 500));
+
+  return {
+    hub,
+    edge,
+    edgePort,
+    cleanup: async () => {
+      await edge.stop();
+      await hub.stop();
+    },
+  };
+}
+
+function sendAndReceive(port: number, data: Buffer, timeoutMs = 30000): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    let totalReceived = 0;
+    const expectedLength = data.length;
+    let settled = false;
+
+    const client = net.createConnection({ host: '127.0.0.1', port }, () => {
+      client.write(data);
+      client.end();
+    });
+
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        client.destroy();
+        reject(new Error(`Timeout after ${timeoutMs}ms — received ${totalReceived}/${expectedLength} bytes`));
+      }
+    }, timeoutMs);
+
+    client.on('data', (chunk: Buffer) => {
+      chunks.push(chunk);
+      totalReceived += chunk.length;
+      if (totalReceived >= expectedLength && !settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.destroy();
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('end', () => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('error', (err) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        reject(err);
+      }
+    });
+  });
+}
+
+function sha256(buf: Buffer): string {
+  return crypto.createHash('sha256').update(buf).digest('hex');
+}
+
+// ---------------------------------------------------------------------------
+// QUIC Transport E2E Tests
+// ---------------------------------------------------------------------------
+
+let tunnel: TestTunnel;
+let echoServer: TrackingServer;
+let hubPort: number;
+let edgePort: number;
+
+tap.test('QUIC setup: start TCP echo server and QUIC tunnel', async () => {
+  [hubPort, edgePort] = await findFreePorts(2);
+
+  echoServer = await startEchoServer(edgePort, '127.0.0.2');
+  tunnel = await startQuicTunnel(edgePort, hubPort);
+
+  expect(tunnel.hub.running).toBeTrue();
+  const status = await tunnel.edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('QUIC: single TCP stream echo — 1KB', async () => {
+  const data = crypto.randomBytes(1024);
+  const hash = sha256(data);
+  const received = await sendAndReceive(edgePort, data, 10000);
+  expect(received.length).toEqual(1024);
+  expect(sha256(received)).toEqual(hash);
+});
+
+tap.test('QUIC: single TCP stream echo — 1MB', async () => {
+  const size = 1024 * 1024;
+  const data = crypto.randomBytes(size);
+  const hash = sha256(data);
+  const received = await sendAndReceive(edgePort, data, 30000);
+  expect(received.length).toEqual(size);
+  expect(sha256(received)).toEqual(hash);
+});
+
+tap.test('QUIC: single TCP stream echo — 16MB', async () => {
+  const size = 16 * 1024 * 1024;
+  const data = crypto.randomBytes(size);
+  const hash = sha256(data);
+  const received = await sendAndReceive(edgePort, data, 60000);
+  expect(received.length).toEqual(size);
+  expect(sha256(received)).toEqual(hash);
+});
+
+tap.test('QUIC: 10 concurrent TCP streams x 1MB each', async () => {
+  const streamCount = 10;
+  const payloadSize = 1024 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 30000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('QUIC: 50 concurrent TCP streams x 64KB each', async () => {
+  const streamCount = 50;
+  const payloadSize = 64 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 30000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('QUIC: 200 concurrent TCP streams x 16KB each', async () => {
+  const streamCount = 200;
+  const payloadSize = 16 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 60000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('QUIC: TCP tunnel still connected after all tests', async () => {
+  const status = await tunnel.edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('QUIC teardown: stop TCP tunnel and echo server', async () => {
+  await tunnel.cleanup();
+  await forceCloseServer(echoServer);
+});
+
+export default tap.start();

test/test.udp.node.ts

@@ -0,0 +1,284 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import * as dgram from 'dgram';
+import * as net from 'net';
+import * as crypto from 'crypto';
+import { RemoteIngressHub, RemoteIngressEdge } from '../ts/index.js';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+async function findFreePorts(count: number): Promise<number[]> {
+  const servers: net.Server[] = [];
+  const ports: number[] = [];
+  for (let i = 0; i < count; i++) {
+    const server = net.createServer();
+    await new Promise<void>((resolve) => server.listen(0, '127.0.0.1', resolve));
+    ports.push((server.address() as net.AddressInfo).port);
+    servers.push(server);
+  }
+  await Promise.all(servers.map((s) => new Promise<void>((resolve) => s.close(() => resolve()))));
+  return ports;
+}
+
+/**
+ * Start a UDP echo server that:
+ * 1. Receives the first datagram (PROXY v2 header — 28 bytes) and discards it
+ * 2. Echoes all subsequent datagrams back to the sender
+ */
+function startUdpEchoServer(port: number, host: string): Promise<dgram.Socket> {
+  return new Promise((resolve, reject) => {
+    const server = dgram.createSocket('udp4');
+    // Track which source endpoints have sent their PROXY v2 header.
+    // The hub sends a 28-byte PROXY v2 header as the first datagram per session.
+    const seenSources = new Set<string>();
+
+    server.on('message', (msg, rinfo) => {
+      const sourceKey = `${rinfo.address}:${rinfo.port}`;
+      if (!seenSources.has(sourceKey)) {
+        seenSources.add(sourceKey);
+        // First datagram from this source is the PROXY v2 header — skip it
+        return;
+      }
+      // Echo back
+      server.send(msg, rinfo.port, rinfo.address);
+    });
+
+    server.on('error', reject);
+    server.bind(port, host, () => resolve(server));
+  });
+}
+
+/**
+ * Send a UDP datagram through the tunnel and wait for the echo response.
+ */
+function udpSendAndReceive(
+  port: number,
+  data: Buffer,
+  timeoutMs = 10000,
+): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const client = dgram.createSocket('udp4');
+    let settled = false;
+
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        client.close();
+        reject(new Error(`UDP timeout after ${timeoutMs}ms`));
+      }
+    }, timeoutMs);
+
+    client.on('message', (msg) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.close();
+        resolve(msg);
+      }
+    });
+
+    client.on('error', (err) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.close();
+        reject(err);
+      }
+    });
+
+    client.send(data, port, '127.0.0.1');
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Test state
+// ---------------------------------------------------------------------------
+
+let hub: RemoteIngressHub;
+let edge: RemoteIngressEdge;
+let echoServer: dgram.Socket;
+let hubPort: number;
+let edgeUdpPort: number;
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+tap.test('UDP/TLS setup: start UDP echo server and TCP+TLS tunnel with UDP ports', async () => {
+  [hubPort, edgeUdpPort] = await findFreePorts(2);
+
+  // Start UDP echo server on upstream (127.0.0.2)
+  echoServer = await startUdpEchoServer(edgeUdpPort, '127.0.0.2');
+
+  hub = new RemoteIngressHub();
+  edge = new RemoteIngressEdge();
+
+  await hub.start({ tunnelPort: hubPort, targetHost: '127.0.0.2' });
+  await hub.updateAllowedEdges([
+    { id: 'test-edge', secret: 'test-secret', listenPorts: [], listenPortsUdp: [edgeUdpPort] },
+  ]);
+
+  const connectedPromise = new Promise<void>((resolve, reject) => {
+    const timeout = setTimeout(() => reject(new Error('Edge did not connect within 10s')), 10000);
+    edge.once('tunnelConnected', () => {
+      clearTimeout(timeout);
+      resolve();
+    });
+  });
+
+  await edge.start({
+    hubHost: '127.0.0.1',
+    hubPort,
+    edgeId: 'test-edge',
+    secret: 'test-secret',
+    bindAddress: '127.0.0.1',
+  });
+
+  await connectedPromise;
+  // Wait for UDP listener to bind
+  await new Promise((resolve) => setTimeout(resolve, 500));
+
+  const status = await edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('UDP/TLS: single UDP datagram echo — 64 bytes', async () => {
+  const data = crypto.randomBytes(64);
+  const received = await udpSendAndReceive(edgeUdpPort, data, 5000);
+  expect(received.length).toEqual(64);
+  expect(Buffer.compare(received, data)).toEqual(0);
+});
+
+tap.test('UDP/TLS: single UDP datagram echo — 1KB', async () => {
+  const data = crypto.randomBytes(1024);
+  const received = await udpSendAndReceive(edgeUdpPort, data, 5000);
+  expect(received.length).toEqual(1024);
+  expect(Buffer.compare(received, data)).toEqual(0);
+});
+
+tap.test('UDP/TLS: 10 sequential UDP datagrams', async () => {
+  for (let i = 0; i < 10; i++) {
+    const data = crypto.randomBytes(128);
+    const received = await udpSendAndReceive(edgeUdpPort, data, 5000);
+    expect(received.length).toEqual(128);
+    expect(Buffer.compare(received, data)).toEqual(0);
+  }
+});
+
+tap.test('UDP/TLS: 10 concurrent UDP datagrams from different source ports', async () => {
+  const promises = Array.from({ length: 10 }, () => {
+    const data = crypto.randomBytes(256);
+    return udpSendAndReceive(edgeUdpPort, data, 5000).then((received) => ({
+      sizeOk: received.length === 256,
+      dataOk: Buffer.compare(received, data) === 0,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || !r.dataOk);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('UDP/TLS: tunnel still connected after UDP tests', async () => {
+  const status = await edge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('UDP/TLS teardown: stop tunnel and UDP echo server', async () => {
+  await edge.stop();
+  await hub.stop();
+  await new Promise<void>((resolve) => echoServer.close(() => resolve()));
+});
+
+// ---------------------------------------------------------------------------
+// QUIC transport UDP tests
+// ---------------------------------------------------------------------------
+
+let quicHub: RemoteIngressHub;
+let quicEdge: RemoteIngressEdge;
+let quicEchoServer: dgram.Socket;
+let quicHubPort: number;
+let quicEdgeUdpPort: number;
+
+tap.test('UDP/QUIC setup: start UDP echo server and QUIC tunnel with UDP ports', async () => {
+  [quicHubPort, quicEdgeUdpPort] = await findFreePorts(2);
+
+  quicEchoServer = await startUdpEchoServer(quicEdgeUdpPort, '127.0.0.2');
+
+  quicHub = new RemoteIngressHub();
+  quicEdge = new RemoteIngressEdge();
+
+  await quicHub.start({ tunnelPort: quicHubPort, targetHost: '127.0.0.2' });
+  await quicHub.updateAllowedEdges([
+    { id: 'test-edge', secret: 'test-secret', listenPorts: [], listenPortsUdp: [quicEdgeUdpPort] },
+  ]);
+
+  const connectedPromise = new Promise<void>((resolve, reject) => {
+    const timeout = setTimeout(() => reject(new Error('QUIC edge did not connect within 10s')), 10000);
+    quicEdge.once('tunnelConnected', () => {
+      clearTimeout(timeout);
+      resolve();
+    });
+  });
+
+  await quicEdge.start({
+    hubHost: '127.0.0.1',
+    hubPort: quicHubPort,
+    edgeId: 'test-edge',
+    secret: 'test-secret',
+    bindAddress: '127.0.0.1',
+    transportMode: 'quic',
+  });
+
+  await connectedPromise;
+  await new Promise((resolve) => setTimeout(resolve, 500));
+
+  const status = await quicEdge.getStatus();
+  expect(status.connected).toBeTrue();
+});
+
+tap.test('UDP/QUIC: single UDP datagram echo — 64 bytes', async () => {
+  const data = crypto.randomBytes(64);
+  const received = await udpSendAndReceive(quicEdgeUdpPort, data, 5000);
+  expect(received.length).toEqual(64);
+  expect(Buffer.compare(received, data)).toEqual(0);
+});
+
+tap.test('UDP/QUIC: single UDP datagram echo — 1KB', async () => {
+  const data = crypto.randomBytes(1024);
+  const received = await udpSendAndReceive(quicEdgeUdpPort, data, 5000);
+  expect(received.length).toEqual(1024);
+  expect(Buffer.compare(received, data)).toEqual(0);
+});
+
+tap.test('UDP/QUIC: 10 sequential UDP datagrams', async () => {
+  for (let i = 0; i < 10; i++) {
+    const data = crypto.randomBytes(128);
+    const received = await udpSendAndReceive(quicEdgeUdpPort, data, 5000);
+    expect(received.length).toEqual(128);
+    expect(Buffer.compare(received, data)).toEqual(0);
+  }
+});
+
+tap.test('UDP/QUIC: 10 concurrent UDP datagrams', async () => {
+  const promises = Array.from({ length: 10 }, () => {
+    const data = crypto.randomBytes(256);
+    return udpSendAndReceive(quicEdgeUdpPort, data, 5000).then((received) => ({
+      sizeOk: received.length === 256,
+      dataOk: Buffer.compare(received, data) === 0,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || !r.dataOk);
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('UDP/QUIC teardown: stop QUIC tunnel and UDP echo server', async () => {
+  await quicEdge.stop();
+  await quicHub.stop();
+  await new Promise<void>((resolve) => quicEchoServer.close(() => resolve()));
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/remoteingress',
-  version: '4.8.14',
-  description: 'Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.'
+  version: '4.13.0',
+  description: 'Edge ingress tunnel for DcRouter - tunnels TCP and UDP traffic from the network edge to SmartProxy over TLS or QUIC, preserving client IP via PROXY protocol.'
 }

ts/classes.remoteingressedge.ts

@@ -15,6 +15,7 @@ type TEdgeCommands = {
       edgeId: string;
       secret: string;
       bindAddress?: string;
+      transportMode?: 'tcpTls' | 'quic' | 'quicWithFallback';
     };
     result: { started: boolean };
   };
@@ -40,6 +41,7 @@ export interface IEdgeConfig {
   edgeId: string;
   secret: string;
   bindAddress?: string;
+  transportMode?: 'tcpTls' | 'quic' | 'quicWithFallback';
 }
 
 const MAX_RESTART_ATTEMPTS = 10;
@@ -137,6 +139,7 @@ export class RemoteIngressEdge extends EventEmitter {
       edgeId: edgeConfig.edgeId,
       secret: edgeConfig.secret,
       ...(edgeConfig.bindAddress ? { bindAddress: edgeConfig.bindAddress } : {}),
+      ...(edgeConfig.transportMode ? { transportMode: edgeConfig.transportMode } : {}),
     });
 
     this.started = true;
@@ -233,6 +236,7 @@ export class RemoteIngressEdge extends EventEmitter {
         edgeId: this.savedConfig.edgeId,
         secret: this.savedConfig.secret,
         ...(this.savedConfig.bindAddress ? { bindAddress: this.savedConfig.bindAddress } : {}),
+        ...(this.savedConfig.transportMode ? { transportMode: this.savedConfig.transportMode } : {}),
       });
 
       this.started = true;

ts/classes.remoteingresshub.ts

@@ -22,7 +22,7 @@ type THubCommands = {
   };
   updateAllowedEdges: {
     params: {
-      edges: Array<{ id: string; secret: string; listenPorts?: number[]; stunIntervalSecs?: number }>;
+      edges: Array<{ id: string; secret: string; listenPorts?: number[]; listenPortsUdp?: number[]; stunIntervalSecs?: number }>;
     };
     result: { updated: boolean };
   };
@@ -50,7 +50,7 @@ export interface IHubConfig {
   };
 }
 
-type TAllowedEdge = { id: string; secret: string; listenPorts?: number[]; stunIntervalSecs?: number };
+type TAllowedEdge = { id: string; secret: string; listenPorts?: number[]; listenPortsUdp?: number[]; stunIntervalSecs?: number };
 
 const MAX_RESTART_ATTEMPTS = 10;
 const MAX_RESTART_BACKOFF_MS = 30_000;