Cloak obfuscation: setup and connection in 2026
Cloak obfuscation: setup and connection in 2026 If the provider cuts WireGuard or OpenVPN by DPI — a common story for Russian networks in 2026 — Cloak obfuscation: setup and connection becomes not an optional topic, but a necessity. This article is a technical breakdown without fluff: how Cloak work
Cloak obfuscation: setup and connection in 2026
If the provider cuts WireGuard or OpenVPN by DPI — a common story for Russian networks in 2026 — Cloak obfuscation: setup and connection becomes not an optional topic, but a necessity. This article is a technical breakdown without fluff: how Cloak works, how to set up a server, connect a client on Android/iOS/Windows, and figure out why the connection is not established.
What is Cloak and why is traffic obfuscation needed
Cloak is a pluggable transport, meaning a transport wrapper. It does not replace a VPN and is not a proxy by itself. Its task is to take Shadowsocks or OpenVPN traffic and package it so that it looks like a regular TLS request to some website from the outside.
Without obfuscation, DPI equipment sees the characteristic patterns of WireGuard or OpenVPN handshakes and cuts the connection. With Cloak, the traffic looks like HTTPS to a conditionalexample.com. The provider sees legitimate TLS, lets it through — and inside rides your VPN tunnel.
How DPI recognizes VPN traffic
Deep Packet Inspection works based on several signs at once. First, protocol signatures: WireGuard has a specific handshake format, OpenVPN has a characteristic TLS-ClientHello with non-standard cipher suites. Second, packet entropy: encrypted VPN traffic has very high entropy, which distinguishes it from real HTTPS, where part of the data is predictable.
Roskomnadzor has been actively using TSPU — technical means of countering threats — since 2023. These systems can not only look at the port but also analyze the behavior of the connection, timings, and packet lengths. That is why "changing the port" no longer helps, and full masking is needed.
The principle of Cloak's operation: masking as regular HTTPS/TLS
Cloak establishes a TLS session in which the ClientHello looks like a browser request. The ServerName (SNI) points to a real existing site. At the same time, the Cloak server (ck-server) can redirect "outsiders" — those who connect without the correct UID — to the real cover site. This is called RedirAddr, and it is an important part of the masking that many ignore.
Inside the TLS session goes your Shadowsocks or OpenVPN. On the outside — regular web traffic. DPI systems see correct TLS to a known domain and do not touch the connection.
How Cloak differs from Shadowsocks, VLESS/XRay, and Amnezia (AmneziaWG)
This is an honest comparison, without declaring a winner.
Cloak — a universal wrapper over Shadowsocks or OpenVPN. Requires its own domain and VPS. Works well where Reality is not available. Supported on most platforms through plugins.
VLESS+Reality (XRay) — simulates the TLS handshake of a foreign site, your domain is not needed. Built into the core of XRay/Sing-box. Better protected against active probing than basic Shadowsocks, but setup is more complex.
AmneziaWG — a modified WireGuard with header randomization. Easier to set up, faster in terms of speed, but less universal against deep DPI, because the traffic behavior still differs from HTTPS.
What to choose depends on your provider, equipment, and technical training. Cloak wins where there is already a working Shadowsocks server and a quick overlay is needed.
What you need before setup: server, keys, and client
Before moving on to the commands, you need to make sure you have everything necessary. Skipping any point is the most common reason why the connection is not established on the first try.
Requirements for the server and domain
You need a VPS outside of Russia with a clean IPv4 address. Minimum requirements — 512 MB RAM, Ubuntu 22.04 or Debian 12. Port 443 must be open and not occupied by other services.
A domain or redirect address for masking is desirable but not strictly necessary. Without it, Cloak works, but active probing by the provider will detect that there is no real site behind "HTTPS." For RedirAddr, any large TLS site will do — as long as it is not blocked by Roskomnadzor. For example,www.bing.com:443 orwww.kernel.org:443.
If you don't want to set up your own VPS — there are ready-made services with obfuscation support, such as NvoVPN, where the infrastructure is already set up and you get ready connection parameters.
Generating public and private keys (ck-server, ck-client)
Cloak uses its own scheme on Curve25519. Keys are generated by the utilityck-server:
ck-server -key
The output will be approximately as follows:
Your public key is: AAAA...BBBB=
The public key is entered in the client config (fieldPublicKey). The private key is only on the server, it is not published or transmitted anywhere. If you lose the private key, you generate a new pair.
UID is a separate user identifier. It is generated by the command:
ck-server -uid
Each user has their own UID. This allows revoking access for a specific client without changing keys.
Transport selection: Cloak + Shadowsocks or Cloak + OpenVPN
Cloak + Shadowsocks is the recommended combination. It is natively supported in Android applications (Shadowsocks + Cloak plugin from F-Droid), easier to configure, and has lower overhead.
Cloak + OpenVPN works, but the configuration is more complex: you need to run OpenVPN on a local port, and Cloak redirects traffic to it. This is feasible on Windows, but on mobile platforms, there are already limitations.
Step-by-step setup of the Cloak server (ck-server)
Installing ck-server on Linux VPS
Log into the server via SSH. Download the latest release from GitHub (at the time of writing this is v2.7.0):
wget https://github.com/cbeuw/Cloak/releases/download/v2.7.0/ck-server-linux-amd64-v2.7.0
Before installation, make sure that port 443 is free:
ss -tlnp | grep :443
If nginx or Apache is running there, either move them to another port or configure port forwarding through them (more complex). The cleanest option is to use 443 only for Cloak.
Config file and ProxyBook setup
Create a directory and config file:
mkdir /etc/cloak
Example config (placeholders instead of real values):
{
ProxyBook tells Cloak where to send the traffic — in this case to Shadowsocks on local port 8388.RedirAddr — the address to which all "foreign" connections without the correct UID are sent. This is a critical setting for masking.
The user file is created separately:
ck-server -u -dbPath /etc/cloak/userinfo.db -uid YOUR_UID -bandwidth 0 -bypass false -expiry 0
Running as a systemd service and checking port 443
Create a unit file:
nano /etc/systemd/system/cloak-server.service
[Unit]
systemctl daemon-reload
If the statusactive (running) — the service is up. Check the port:
ss -tlnp | grep :443
Should beck-server on 0.0.0.0:443. If it is not there — seejournalctl -u cloak-server -n 50.
Setting up RedirAddr to disguise as a real site
This is the place where most manuals are silent, and then they are surprised that DPI still detects the traffic. Without a correct RedirAddr, Cloak simply hangs or returns an empty response when connecting without UID. Active probing from the provider will notice this immediately.
RedirAddr must point to a live HTTPS site that is not blocked in Russia. Check before setting up:curl -I https://www.kernel.org — should return 200 or 301, not a timeout.
Corporate and school networks with MITM interception of TLS completely break this disguise — there Cloak will not help because the network itself decrypts TLS and sees the content. This is not a bug of Cloak, but a limitation of the approach itself.
Client connection: Android, iPhone/iOS, Windows, Mac, and routers
Android: Shadowsocks + Cloak plugin
On Android, this works the cleanest. You install two applications:Shadowsocks from F-Droid or Google Play, and the pluginCloak Plugin for Android (also available on F-Droid, packagecom.github.shadowsocks.plugin.ck).
In the Shadowsocks profile settings:
- Server: IP of your VPS
- Port: 443
- Password: Shadowsocks password
- Encryption method:
aes-256-gcmorchacha20-ietf-poly1305 - Plugin: select Cloak
In the plugin options, enter a string like:
UID=YOUR_UID;PublicKey=YOUR_PUBLIC_KEY;ServerName=www.kernel.org;BrowserSig=chrome;NumConn=4
NumConn=4 — the number of parallel TLS connections. On mobile, it's better not to set more than 4, otherwise the battery drains faster without a noticeable speed increase.
iPhone/iOS: clients with obfs/Cloak support
On iOS, the choice of clients is noticeably narrower. The App Store in Russia is periodically cleaned, so the situation changes. At the time of writing, options are working throughShadowrocket (paid, $2.99, App Store account from another country) orSing-Box.
In Shadowrocket, add a server type Shadowsocks, in the Plugin field selectcloak, enter the same parameters. The interface is less convenient than on Android, but it works.
On Apple TV, Cloak cannot be installed directly — there is no support for third-party applications with VPN extensions. The only option is to share an already obfuscated connection from the router.
Windows and Mac: ck-client and integration with Shadowsocks
Download the binaryck-client for your platform from the same GitHub repository. The client config (ckclient.json):
{
Run:
ck-client -c ckclient.json -s YOUR_VPS_IP -p 443 -l 1984 -i
This raises a local SOCKS5 on port 1984, through which the Shadowsocks client (for example,Shadowsocks-Windows orOutline in manual mode) connects to the server.
Conflict with an already active system VPN is a common issue on Windows. If you have WireGuard or another VPN running, ck-client may not raise SOCKS5 or reach the server. Disable the other VPN before starting.
Routers (OpenWrt) and Smart TV / Apple TV: limitations and workarounds
On OpenWrt, you can installck-client directly — there are builds for MIPS and ARM. The config is the same, launched via init.d or procd. Traffic from the router passes through Cloak transparently for all connected devices, including Smart TVs and consoles.
But: if the router is from the provider and you cannot install the firmware — there are no options. You need a separate router with OpenWrt or an equivalent likeGL.iNet with built-in plugin support.
Mobile operators with transparent proxies sometimes cut connections on port 443 if they notice unusual behavior of the TLS session. In this case, tryBrowserSig: "firefox" instead of"chrome" — the emulation is slightly different.
Checking functionality and speed test after obfuscation
How to ensure that the traffic is indeed being masked
Basic check: open2ip.ru orwhoer.net — it should show the IP of your VPS, not your home one. Check access to blocked resources: Instagram, Twitter/X, YouTube (if restricted by your provider), Telegram.
More technically: run Wireshark on your machine and look at the traffic to the server. You should see TLS connections on port 443 with the SNI of your ServerName. No OpenVPN handshake, no WireGuard UDP packets — everything looks like browser HTTPS.
Against active probing: the provider can connect to your server on 443 and check what’s there. If RedirAddr is configured correctly — the provider will get redirected to the real site and won’t see anything suspicious.
Real speed drop due to obfuscation
Honestly: Cloak is slower than pure WireGuard. This is a fact, and it should not be hidden.
Overhead from the TLS wrapper, from several parallel connections (NumConn), from additional Shadowsocks encryption over TLS — all this consumes part of the bandwidth and increases latency. How much exactly depends on your server, its load, the distance to it, and the provider. I won't make up specific numbers.
Method for self-measurement: go tospeedtest.net orfast.com, run a test without VPN, record the result. Then connect Cloak and run the test again. The difference is your real overhead on your route.
What to do when there is throttling from the provider
If the provider applies shaping — intentional throttling — try reducingNumConn to 2. Sometimes too many parallel TLS connections from one address look suspicious.
It is also worth checking whether the provider applies blocking by SNI. If your ServerName (for example,www.bing.com) itself is blocked by Roskomnadzor — Cloak will work incorrectly because the connection to a blocked domain is suspicious in itself. Change the ServerName to an unblocked domain.
Typical connection errors and their solutions
TLS handshake error and key mismatch
Symptom: the connection hangs at the session establishment stage, the client showsTLS handshake failed or just a timeout.
The first candidate is an incorrect PublicKey in the client config. Check byte by byte: Cloak keys are base64 strings, any extra letter or space breaks everything. Copy the key directly from the output ofck-server -key, do not retype it manually.
The second candidate is an incorrect UID. Make sure that the UID in the client config matches the one added to the server's user database (userinfo.db).
Desynchronization of system time
This is one of the most underrated causes of errors that most manuals do not mention. Cloak checks the timestamp in the handshake. If the difference between the time on the client and the server is more than a few minutes — the session is rejected.
On the server, check:
timedatectl status
NTP should be synchronized. If not:
systemctl enable --now systemd-timesyncd
On Android, the clock is usually synchronized automatically. On Windows — check viaw32tm /query /status.
The provider blocks by SNI / ServerName
If the ServerName in your config points to a blocked domain — DPI cuts the TLS connection before the session is established. Cloak won't help because SNI is transmitted in clear text in ClientHello.
Solution: change the ServerName to a domain that is definitely not blocked in Russia. Check viacurl -I https://ваш-domain.com from a Russian IP (you can do this through a mobile operator without VPN).
There is a connection, but no access to the internet
The Cloak tunnel has been established, the IP address has changed, but the sites do not open. This is not a problem with Cloak, but with the transport inside — Shadowsocks or OpenVPN.
Check: is the Shadowsocks server running on port 8388 locally:
ss -tlnp | grep 8388
Check DNS: sometimes when tunneling, DNS requests go not through the VPN. In the Shadowsocks client, enableRemote DNS or explicitly specify8.8.8.8 in the settings.
If double VPN — already active WireGuard or corporate VPN — there is a conflict with routing. You cannot have two tunnels with a default route simultaneously. Disable one or configure split tunneling.
Frequently asked questions
How does Cloak differ from VLESS+Reality and AmneziaWG?
Cloak is a wrapper over Shadowsocks or OpenVPN, masking traffic under TLS and requiring its own domain. Reality is built into XRay/Sing-box and simulates TLS of a foreign domain without the need to control it — technically more elegant, but more complex to configure. AmneziaWG modifies the WireGuard handshake itself, randomizing headers, which is easier to configure but less effective against deep traffic behavior analysis. Each has its strengths against specific DPI methods — there is no universal winner.
Is a dedicated server needed for Cloak?
For full control — yes, a VPS with ck-server installed is needed, and preferably a domain for RedirAddr. This provides maximum flexibility but requires technical literacy and time. An alternative is ready-made services with obfuscation support, where everything is already configured on the provider's side, and you only receive the connection parameters.
Does Cloak slow down the internet?
Yes, it slows down. The TLS wrapper, several parallel connections, and double encryption add overhead. How much exactly depends on the server, the distance to it, and your provider. The best way to know your real numbers is to compare Speedtest before and after connecting yourself.
Why is the connection to Cloak not established?
The most common reasons: incorrect PublicKey or UID (check byte by byte, without spaces), desynchronization of system time between the client and server (a difference of more than a few minutes — the session is rejected), blocked ServerName by SNI (change to an unblocked domain), incorrect port or conflict with another active VPN. Detailed analysis is in the error section above.
Does Cloak work on iPhone and Apple TV?
On iOS — via Shadowrocket or Sing-Box, both support the Cloak plugin, but the choice of applications is smaller than on Android. Cloak cannot be installed directly on Apple TV — there is no support for VPN plugins. The only option is a router with OpenWrt and configured Cloak, which distributes the already obfuscated connection to all connected devices.
Does Cloak bypass blocks on YouTube, Instagram, and Telegram?
Cloak itself does not bypass blocks on specific sites — it masks the VPN channel from the provider's DPI so that it does not cut the VPN protocol itself. Access to YouTube, Instagram, TikTok, Twitter/X, and Telegram is provided by the VPN tunnel (Shadowsocks or OpenVPN), which goes over Cloak. The scheme works like this: the provider sees regular HTTPS and does not cut the connection, while inside the tunnel you get full access to blocked resources.
Related articles
You might also like
OpenConnect: setup and connection in 2026
OpenConnect: настройка и подключение в 2026 If you have a config from an ocserv server in your hands...
Read moreTUIC: setting up and connecting VPN in 2026
TUIC: setting up and connecting VPN in 2026 If you have already tried VLESS and Shadowsocks, but the...
Read moreSing-box: setup and connection — complete guide 2026
Sing-box: setup and connection — complete guide 2026 If you are holding a config or a subscription l...
Read more