In cloak vpn

Please sign in to use Codespaces.

[Amnezia VPN Features] – OpenVPN over Cloak

Hi all, this is the Amnezia VPN team and today we would like to introduce you to one of our unique features, namely implementation of OpenVPN with Cloak.

Cloak is a pluggable transport that creates a point-to-point tunnel and allows you to wrap OpenVPN, Shadowsocks and other connections into this tunnel. Cloak makes the VPN connection look like ordinary HTTPS (Internet) traffic that the user creates when he visits normal Web sites. If the censorship equipment wants to know where the user is going, it won’t get the address/domain of the VPN server but rather a Bing or Google site (it depends on what service the user specifies in the configuration rules).

Why do we use Cloak in Amnezia VPN? Censors have learned how to block different protocols, such as OpenVPN, WireGuard, IKEv2 and others, that’s why it was important for Amnezia VPN team to implement an OpenVPN setting in their client using such a tool that hides the fact of using VPN, namely the OpenVPN protocol.

Amnezia VPN takes care of all the technical aspects of setting up OpenVPN over Cloak – the user only has to enter Login:Password from the server and then the Amnezia application will make an SSH connection to the server and install everything you need for correct work.

Currently the following platforms support the implementation of OpenVPN over Cloak:

But that’s not all: Amnezia VPN is also going to implement OpenVPN over Cloak support in Android and iOS applications. Stay tuned!

Supported Amnezia VPN protocols

In cloak vpn

Об этой странице

Мы зарегистрировали подозрительный трафик, исходящий из вашей сети. С помощью этой страницы мы сможем определить, что запросы отправляете именно вы, а не робот. Почему это могло произойти?

Эта страница отображается в тех случаях, когда автоматическими системами Google регистрируются исходящие из вашей сети запросы, которые нарушают Условия использования. Страница перестанет отображаться после того, как эти запросы прекратятся. До этого момента для использования служб Google необходимо проходить проверку по слову.

Источником запросов может служить вредоносное ПО, подключаемые модули браузера или скрипт, настроенный на автоматических рассылку запросов. Если вы используете общий доступ в Интернет, проблема может быть с компьютером с таким же IP-адресом, как у вас. Обратитесь к своему системному администратору. Подробнее.

Проверка по слову может также появляться, если вы вводите сложные запросы, обычно распространяемые автоматизированными системами, или же вводите запросы очень часто.

Saved searches

Use saved searches to filter your results more quickly

Cancel Create saved search

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

cbeuw / Cloak Public

A censorship circumvention tool to evade detection by authoritarian state adversaries



This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Switch branches/tags
Branches Tags
Could not load branches
Nothing to show
Could not load tags
Nothing to show

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Cancel Create

  • Local
  • Codespaces

Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Latest commit

fcb600e Apr 23, 2023

Git stats


Failed to load latest commit information.

Latest commit message
Commit time
September 2, 2021 17:49
March 7, 2023 17:09
December 19, 2020 15:34
April 23, 2023 15:14
February 2, 2022 22:00
January 25, 2019 00:42
July 25, 2019 20:52
April 23, 2023 11:04
December 1, 2020 14:06
April 23, 2023 15:14
April 23, 2023 15:14
April 23, 2023 15:23

Cloak is a pluggable transport that enhances traditional proxy tools like OpenVPN to evade sophisticated censorship and data discrimination.

Cloak is not a standalone proxy program. Rather, it works by masquerading proxied traffic as normal web browsing activities. In contrast to traditional tools which have very prominent traffic fingerprints and can be blocked by simple filtering rules, it’s very difficult to precisely target Cloak with little false positives. This increases the collateral damage to censorship actions as attempts to block Cloak could also damage services the censor state relies on.

To any third party observer, a host running Cloak server is indistinguishable from an innocent web server. Both while passively observing traffic flow to and from the server, as well as while actively probing the behaviours of a Cloak server. This is achieved through the use a series of cryptographic steganography techniques.

Cloak can be used in conjunction with any proxy program that tunnels traffic through TCP or UDP, such as Shadowsocks, OpenVPN and Tor. Multiple proxy servers can be running on the same server host and Cloak server will act as a reverse proxy, bridging clients with their desired proxy end.

Cloak multiplexes traffic through multiple underlying TCP connections which reduces head-of-line blocking and eliminates TCP handshake overhead. This also makes the traffic pattern more similar to real websites.

Cloak provides multi-user support, allowing multiple clients to connect to the proxy server on the same port (443 by default). It also provides traffic management features such as usage credit and bandwidth control. This allows a proxy server to serve multiple users even if the underlying proxy software wasn’t designed for multiple users

Cloak also supports tunneling through an intermediary CDN server such as Amazon Cloudfront. Such services are so widely used, attempts to disrupt traffic to them can lead to very high collateral damage for the censor.

Quick Start

To quickly deploy Cloak with Shadowsocks on a server, you can run this script written by @HirbodBehnam

Table of Contents


git clone cd Cloak go get ./. make

Built binaries will be in build folder.


Examples of configuration files can be found under example_config folder.


RedirAddr is the redirection address when the incoming traffic is not from a Cloak client. Ideally it should be set to a major website allowed by the censor (e.g. )

BindAddr is a list of addresses Cloak will bind and listen to (e.g. [“:443″,”:80″] to listen to port 443 and 80 on all interfaces)

ProxyBook is an object whose key is the name of the ProxyMethod used on the client-side (case-sensitive). Its value is an array whose first element is the protocol, and the second element is an IP:PORT string of the upstream proxy server that Cloak will forward the traffic to.

< "ProxyBook": < "shadowsocks": [ "tcp", "localhost:51443" ], "openvpn": [ "tcp", "localhost:12345" ] > >

PrivateKey is the static curve25519 Diffie-Hellman private key encoded in base64.

BypassUID is a list of UIDs that are authorised without any bandwidth or credit limit restrictions

AdminUID is the UID of the admin user in base64. You can leave this empty if you only ever add users to BypassUID .

DatabasePath is the path to userinfo.db , which is used to store user usage information and restrictions. Cloak will create the file automatically if it doesn’t exist. You can leave this empty if you only ever add users to BypassUID . This field also has no effect if AdminUID isn’t a valid UID or is empty.

KeepAlive is the number of seconds to tell the OS to wait after no activity before sending TCP KeepAlive probes to the upstream proxy server. Zero or negative value disables it. Default is 0 (disabled).


UID is your UID in base64.

Transport can be either direct or CDN . If the server host wishes you to connect to it directly, use direct . If instead a CDN is used, use CDN .

PublicKey is the static curve25519 public key in base64, given by the server admin.

ProxyMethod is the name of the proxy method you are using. This must match one of the entries in the server’s ProxyBook exactly.

EncryptionMethod is the name of the encryption algorithm you want Cloak to use. Options are plain , aes-256-gcm ( synonymous to aes-gcm ), aes-128-gcm , and chacha20-poly1305 . Note: Cloak isn’t intended to provide transport security. The point of encryption is to hide fingerprints of proxy protocols and render the payload statistically random-like. You may only leave it as plain if you are certain that your underlying proxy tool already provides BOTH encryption and authentication (via AEAD or similar techniques).

ServerName is the domain you want to make your ISP or firewall think you are visiting. Ideally it should match RedirAddr in the server’s configuration, a major site the censor allows, but it doesn’t have to.

AlternativeNames is an array used alongside ServerName to shuffle between different ServerNames for every new connection. This may conflict with CDN Transport mode if the CDN provider prohibits domain fronting and rejects the alternative domains.

< "ServerName": "", "AlternativeNames": ["", ""] >

CDNOriginHost is the domain name of the origin server (i.e. the server running Cloak) under CDN mode. This only has effect when Transport is set to CDN . If unset, it will default to the remote hostname supplied via the commandline argument (in standalone mode), or by Shadowsocks (in plugin mode). After a TLS session is established with the CDN server, this domain name will be used in the Host header of the HTTP request to ask the CDN server to establish a WebSocket connection with this host.

CDNWsUrlPath is the url path used to build websocket request sent under CDN mode, and also only has effect when Transport is set to CDN . If unset, it will default to “/”. This option is used to build the first line of the HTTP request after a TLS session is extablished. It’s mainly for a Cloak server behind a reverse proxy, while only requests under specific url path are forwarded.

NumConn is the amount of underlying TCP connections you want to use. The default of 4 should be appropriate for most people. Setting it too high will hinder the performance. Setting it to 0 will disable connection multiplexing and each TCP connection will spawn a separate short-lived session that will be closed after it is terminated. This makes it behave like GoQuiet. This maybe useful for people with unstable connections.

BrowserSig is the browser you want to appear to be using. It’s not relevant to the browser you are actually using. Currently, chrome , firefox and safari are supported.

KeepAlive is the number of seconds to tell the OS to wait after no activity before sending TCP KeepAlive probes to the Cloak server. Zero or negative value disables it. Default is 0 (disabled). Warning: Enabling it might make your server more detectable as a proxy, but it will make the Cloak client detect internet interruption more quickly.

StreamTimeout is the number of seconds of Cloak waits for an incoming connection from a proxy program to send any data, after which the connection will be closed by Cloak. Cloak will not enforce any timeout on TCP connections after it is established.



  1. Install at least one underlying proxy server (e.g. OpenVPN, Shadowsocks).
  2. Download the latest release or clone and build this repo.
  3. Run ck-server -key . The public should be given to users, the private key should be kept secret.
  4. (Skip if you only want to add unrestricted users) Run ck-server -uid . The new UID will be used as AdminUID .
  5. Copy example_config/ckserver.json into a desired location. Change PrivateKey to the private key you just obtained; change AdminUID to the UID you just obtained.
  6. Configure your underlying proxy server so that they all listen on localhost. Edit ProxyBook in the configuration file accordingly
  7. Configure the proxy program. Run sudo ck-server -c . ck-server needs root privilege because it binds to a low numbered port (443). Alternatively you can follow to avoid granting ck-server root privilege unnecessarily.

To add users

Unrestricted users

Run ck-server -uid and add the UID into the BypassUID field in ckserver.json

Users subject to bandwidth and credit controls
  1. First make sure you have AdminUID generated and set in ckserver.json , along with a path to userinfo.db in DatabasePath (Cloak will create this file for you if it didn’t already exist).
  2. On your client, run ck-client -s -l -a -c to enter admin mode
  3. Visit (Note: this is a pure-js static site, there is no backend and all data entered into this site are processed between your browser and the Cloak API endpoint you specified. Alternatively you can download the repo at and open index.html in a browser. No web server is required).
  4. Type in as the API Base, and click List .
  5. You can add in more users by clicking the + panel

Note: the user database is persistent as it’s in-disk. You don’t need to add the users again each time you start ck-server.


Android client is available here:

  1. Install the underlying proxy client corresponding to what the server has.
  2. Download the latest release or clone and build this repo.
  3. Obtain the public key and your UID from the administrator of your server
  4. Copy example_config/ckclient.json into a location of your choice. Enter the UID and PublicKey you have obtained. Set ProxyMethod to match exactly the corresponding entry in ProxyBook on the server end
  5. Configure the proxy program. Run ck-client -c -s

Support me

If you find this project useful, you can visit my merch store; alternatively you can donate directly to me