Cloak is a pluggable transport that enhances traditional proxy tools like OpenVPN to evade sophisticated censorship and data discrimination.
Cloak is not a standalone proxy program. Rather, it works by masquerading proxied traffic as normal web browsing activities. In contrast to traditional tools which have very prominent traffic fingerprints and can be blocked by simple filtering rules, it’s very difficult to precisely target Cloak with little false positives. This increases the collateral damage to censorship actions as attempts to block Cloak could also damage services the censor state relies on.
To any third party observer, a host running Cloak server is indistinguishable from an innocent web server. Both while passively observing traffic flow to and from the server, as well as while actively probing the behaviours of a Cloak server. This is achieved through the use a series of cryptographic steganography techniques.
Cloak can be used in conjunction with any proxy program that tunnels traffic through TCP or UDP, such as Shadowsocks, OpenVPN and Tor. Multiple proxy servers can be running on the same server host and Cloak server will act as a reverse proxy, bridging clients with their desired proxy end.
Cloak multiplexes traffic through multiple underlying TCP connections which reduces head-of-line blocking and eliminates TCP handshake overhead. This also makes the traffic pattern more similar to real websites.
Cloak provides multi-user support, allowing multiple clients to connect to the proxy server on the same port (443 by default). It also provides traffic management features such as usage credit and bandwidth control. This allows a proxy server to serve multiple users even if the underlying proxy software wasn’t designed for multiple users
Cloak also supports tunneling through an intermediary CDN server such as Amazon Cloudfront. Such services are so widely used, attempts to disrupt traffic to them can lead to very high collateral damage for the censor.
git clone https://github.com/cbeuw/Cloak
cd Cloak
go get ./…
make
Examples of configuration files can be found under example_config
folder.
RedirAddr
is the redirection address when the incoming traffic is not from a Cloak client. Ideally it should be set to a major website allowed by the censor (e.g. www.bing.com
)
BindAddr
is a list of addresses Cloak will bind and listen to (e.g. [":443",":80"]
to listen to port 443 and 80 on all interfaces)
ProxyBook
is an object whose key is the name of the ProxyMethod used on the client-side (case-sensitive). Its value is an array whose first element is the protocol, and the second element is an IP:PORT
string of the upstream proxy server that Cloak will forward the traffic to.
Example:
{
“ProxyBook”: {
“shadowsocks”: [
“tcp”,
“localhost:51443”
],
“openvpn”: [
“tcp”,
“localhost:12345”
]
}
}
PrivateKey
is the static curve25519 Diffie-Hellman private key encoded in base64.
BypassUID
is a list of UIDs that are authorised without any bandwidth or credit limit restrictions
AdminUID
is the UID of the admin user in base64. You can leave this empty if you only ever add users to BypassUID
.
DatabasePath
is the path to userinfo.db
, which is used to store user usage information and restrictions. Cloak will create the file automatically if it doesn’t exist. You can leave this empty if you only ever add users to BypassUID
. This field also has no effect if AdminUID
isn’t a valid UID or is empty.
KeepAlive
is the number of seconds to tell the OS to wait after no activity before sending TCP KeepAlive probes to the upstream proxy server. Zero or negative value disables it. Default is 0 (disabled).
UID
is your UID in base64.
Transport
can be either direct
or CDN
. If the server host wishes you to connect to it directly, use direct
. If instead a CDN is used, use CDN
.
PublicKey
is the static curve25519 public key in base64, given by the server admin.
ProxyMethod
is the name of the proxy method you are using. This must match one of the entries in the server’s ProxyBook
exactly.
EncryptionMethod
is the name of the encryption algorithm you want Cloak to use. Options are plain
, aes-256-gcm
( synonymous to aes-gcm
), aes-128-gcm
, and chacha20-poly1305
. Note: Cloak isn’t intended to provide transport security. The point of encryption is to hide fingerprints of proxy protocols and render the payload statistically random-like. You may only leave it as plain
if you are certain that your underlying proxy tool already provides BOTH encryption and authentication (via AEAD or similar techniques).
ServerName
is the domain you want to make your ISP or firewall think you are visiting. Ideally it should match RedirAddr
in the server’s configuration, a major site the censor allows, but it doesn’t have to.
AlternativeNames
is an array used alongside ServerName
to shuffle between different ServerNames for every new connection. This may conflict with CDN
Transport mode if the CDN provider prohibits domain fronting and rejects the alternative domains.
Example:
{
“ServerName”: “bing.com”,
“AlternativeNames”: [“cloudflare.com”, “github.com”]
}
CDNOriginHost
is the domain name of the origin server (i.e. the server running Cloak) under CDN
mode. This only has effect when Transport
is set to CDN
. If unset, it will default to the remote hostname supplied via the commandline argument (in standalone mode), or by Shadowsocks (in plugin mode). After a TLS session is established with the CDN server, this domain name will be used in the HTTP request to ask the CDN server to establish a WebSocket connection with this host.
NumConn
is the amount of underlying TCP connections you want to use. The default of 4 should be appropriate for most people. Setting it too high will hinder the performance. Setting it to 0 will disable connection multiplexing and each TCP connection will spawn a separate short-lived session that will be closed after it is terminated. This makes it behave like GoQuiet. This maybe useful for people with unstable connections.
BrowserSig
is the browser you want to appear to be using. It’s not relevant to the browser you are actually using. Currently, chrome
and firefox
are supported.
KeepAlive
is the number of seconds to tell the OS to wait after no activity before sending TCP KeepAlive probes to the Cloak server. Zero or negative value disables it. Default is 0 (disabled). Warning: Enabling it might make your server more detectable as a proxy, but it will make the Cloak client detect internet interruption more quickly.
StreamTimeout
is the number of seconds of Cloak waits for an incoming connection from a proxy program to send any data, after which the connection will be closed by Cloak. Cloak will not enforce any timeout on TCP connections after it is established.
ck-server -key
. The public should be given to users, the private key should be kept secret.ck-server -uid
. The new UID will be used as AdminUID
.PrivateKey
to the private key you just obtained; change AdminUID
to the UID you just obtained.ProxyBook
in the configuration file accordinglysudo ck-server -c <path to ckserver.json>
. ck-server needs root privilege because it binds to a low numbered port (443). Alternatively you can follow https://superuser.com/a/892391 to avoid granting ck-server root privilege unnecessarily.Run ck-server -uid
and add the UID into the BypassUID
field in ckserver.json
AdminUID
generated and set in ckserver.json
, along with a path to userinfo.db
in DatabasePath
(Cloak will create this file for you if it didn’t already exist).ck-client -s <IP of the server> -l <A local port> -a <AdminUID> -c <path-to-ckclient.json>
to enter admin modeindex.html
in a browser. No web server is required).127.0.0.1:<the port you entered in step 1>
as the API Base, and click List
.+
panelNote: the user database is persistent as it’s in-disk. You don’t need to add the users again each time you start ck-server.
Android client is available here: https://github.com/cbeuw/Cloak-android
example_config/ckclient.json
into a location of your choice. Enter the UID
and PublicKey
you have obtained. Set ProxyMethod
to match exactly the corresponding entry in ProxyBook
on the server endck-client -c <path to ckclient.json> -s <ip of your server>
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…