QUIC on port with firewall - is same port required?


(łukasz Nowak) #1

Hello,

I am using caddy v0.11.1 and I succeed to connect it with QUIC using Chrome on unprivileged port (:11443). It shows in headers proper information:

Alt-Svc: quic=":11443"; ma=2592000; v="44,43,39"

The problem I am facing is that I am using iptables to redirect tcp:443 to tcp:11443, and allowing access to udp:11443, as QUIC is advertised. It works perfectly for the HTTPS over TCP, but it does not work with QUIC.

I did two additional tricks with iptables:

  • redirected udp:443 to udp:11443
  • opened tcp:11443

With Lucas’ quic clients I can connect to my site just by doing: client-linux-debug --host=<localip> https://example.com/ and also with using port directly with --port, be it 443 or 11443.

But Chrome does not work when connecting to tcp:443 (as quic is advertised with udp:11443 I expect chrome to connect there), I have to force it to connect to tcp:11443 (like https://example.com:11443/), then it connects correctly to udp:11443.

My certificates are valid.

Gah, I hope I explained my problem well.

So the question is: Despite of advertising QUIC on port :11443, when connecting to :443 is it required by Chrome/SPEC to serve QUIC on same port as tcp?

Regards,
Łukasz