starred/Cloak
1
0
Fork 0
mirror of https://github.com/cbeuw/Cloak.git synced 2026-04-25 20:45:59 +03:00
Code Issues 144 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #206] Wireguard + Cloak not connecting #166

New issue
Open
opened 2026-02-26 12:34:10 +03:00 by kerem · 5 comments
kerem commented 2026-02-26 12:34:10 +03:00
Owner
Copy link

Originally created by @Imfae on GitHub (Oct 29, 2022).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/206

Issue Description

I've set up Wireguard + Cloak on a Debian 11 cloud server (Vultr) and connected it to my Windows 10 machine. The vpn works occasionally, but most of the time, it doesn't, and the wireguard client logs uncompleted handshakes.

To Reproduce

Setup Wireguard + Cloak server/client following instructions here: https://www.oilandfish.com/posts/wireguard-cloak.html

Expected Behavior

Traffic successfully tunneled between pc and server and encrypted by Wireguard and obfuscated by Cloak.

Additional Information

Two events can be observed after activating Wireguard client,

  1. (Expected but rare) Wireguard connects and performs handshake with remote peer. Traffic from and to server successfully tunneled.
  2. Wireguard client records sending but not receiving handshakes. No connection (and certainly no Internet) between pc and server, even though Wireshark records Cloaked traffic to and from server. I tentatively hypothesize that the issue occurs when packets are returned to my pc.

Full log

Iptables log on port wireguard server is listening:

Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=176 TOS=0x00 PREC=0x0>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=140 TOS=0x00 PREC=0x0>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=108 TOS=0x00 PREC=0x0>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=108 TOS=0x00 PREC=0x0>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=140 TOS=0x00 PREC=0x0>
Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127>

Output of ck-client.exe -u -c ck-client.json -s XX.XX.XX.XX:

time="2022-10-29T23:06:38+08:00" level=info msg="Starting standalone mode"
time="2022-10-29T23:06:38+08:00" level=info msg="Listening on UDP 127.0.0.1:1984 for wireguard client"
time="2022-10-29T23:06:42+08:00" level=info msg="Attempting to start a new session"
time="2022-10-29T23:06:42+08:00" level=info msg="Session 1578975802 established"

Output of systemctl status cloak:

ESCOD
● cloak.service - Cloak Server
     Loaded: loaded (/lib/systemd/system/cloak.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-10-29 12:28:52 UTC; 2h 54min ago
   Main PID: 13290 (ck-server)
      Tasks: 4 (limit: 527)
     Memory: 2.3M
        CPU: 120ms
     CGroup: /system.slice/cloak.service
             └─13290 /usr/local/bin/ck-server -c /etc/cloak/ckserver.json

9T14:14:46Z" level=warning msg="error reading first packet: unrecognised protocol" remoteAddr="43.153.208.98:44054"
9T14:14:57Z" level=warning msg="error reading first packet: unrecognised protocol" remoteAddr="43.153.208.98:56152"
9T14:41:03Z" level=info msg="New session" UID="X" sessionID=3942735673
9T14:41:40Z" level=info msg="New session" UID="X" sessionID=3958390639
9T14:42:10Z" level=info msg="Session closed" UID="X" reason=timeout sessionID=3958390639
9T14:44:05Z" level=info msg="Session closed" UID="X" reason="a connection has dropped unexpected>
9T14:44:05Z" level=info msg="Terminating active user" UID="X" reason="no session left"
9T15:06:42Z" level=info msg="New session" UID="X" sessionID=1578975802
9T15:07:10Z" level=info msg="Session closed" UID="X" reason="a connection has dropped unexpected>
9T15:07:10Z" level=info msg="Terminating active user" UID="X" reason="no session left"
Originally created by @Imfae on GitHub (Oct 29, 2022). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/206 **Issue Description** I've set up Wireguard + Cloak on a Debian 11 cloud server (Vultr) and connected it to my Windows 10 machine. The vpn works _occasionally_, but most of the time, it doesn't, and the wireguard client logs uncompleted handshakes. **To Reproduce** Setup Wireguard + Cloak server/client following instructions here: [https://www.oilandfish.com/posts/wireguard-cloak.html](url) **Expected Behavior** Traffic successfully tunneled between pc and server and encrypted by Wireguard and obfuscated by Cloak. **Additional Information** Two events can be observed after activating Wireguard client, 1. (Expected but rare) Wireguard connects and performs handshake with remote peer. Traffic from and to server successfully tunneled. 2. Wireguard client records sending but not receiving handshakes. No connection (and certainly no Internet) between pc and server, even though Wireshark records Cloaked traffic to and from server. I tentatively hypothesize that the issue occurs when packets are returned to my pc. **Full log** Iptables log on port wireguard server is listening: ``` Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=176 TOS=0x00 PREC=0x0> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=140 TOS=0x00 PREC=0x0> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=108 TOS=0x00 PREC=0x0> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=108 TOS=0x00 PREC=0x0> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=140 TOS=0x00 PREC=0x0> Oct 29 14:41:04 spacestone kernel: wireguard iptables: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127> ``` Output of `ck-client.exe -u -c ck-client.json -s XX.XX.XX.XX`: ``` time="2022-10-29T23:06:38+08:00" level=info msg="Starting standalone mode" time="2022-10-29T23:06:38+08:00" level=info msg="Listening on UDP 127.0.0.1:1984 for wireguard client" time="2022-10-29T23:06:42+08:00" level=info msg="Attempting to start a new session" time="2022-10-29T23:06:42+08:00" level=info msg="Session 1578975802 established" ``` Output of `systemctl status cloak`: ``` ESCOD ● cloak.service - Cloak Server Loaded: loaded (/lib/systemd/system/cloak.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-10-29 12:28:52 UTC; 2h 54min ago Main PID: 13290 (ck-server) Tasks: 4 (limit: 527) Memory: 2.3M CPU: 120ms CGroup: /system.slice/cloak.service └─13290 /usr/local/bin/ck-server -c /etc/cloak/ckserver.json 9T14:14:46Z" level=warning msg="error reading first packet: unrecognised protocol" remoteAddr="43.153.208.98:44054" 9T14:14:57Z" level=warning msg="error reading first packet: unrecognised protocol" remoteAddr="43.153.208.98:56152" 9T14:41:03Z" level=info msg="New session" UID="X" sessionID=3942735673 9T14:41:40Z" level=info msg="New session" UID="X" sessionID=3958390639 9T14:42:10Z" level=info msg="Session closed" UID="X" reason=timeout sessionID=3958390639 9T14:44:05Z" level=info msg="Session closed" UID="X" reason="a connection has dropped unexpected> 9T14:44:05Z" level=info msg="Terminating active user" UID="X" reason="no session left" 9T15:06:42Z" level=info msg="New session" UID="X" sessionID=1578975802 9T15:07:10Z" level=info msg="Session closed" UID="X" reason="a connection has dropped unexpected> 9T15:07:10Z" level=info msg="Terminating active user" UID="X" reason="no session left" ```
kerem commented 2026-02-26 12:34:10 +03:00
Author
Owner
Copy link

@Imfae commented on GitHub (Nov 3, 2022):

My analysis of network traffic when running Wireguard + Cloak so far shows a high possibility of packets sent from cloak client to server not reaching wireguard server or packets sent from cloak server to client not reaching wireguard client.

I'm not sure if this indicates packets corruption while wireguard traffic is routed through cloak, and I would very much appreciate a second opinion on the subject.

<!-- gh-comment-id:1301837747 --> @Imfae commented on GitHub (Nov 3, 2022): My analysis of network traffic when running Wireguard + Cloak so far shows a high possibility of packets sent from cloak client to server not reaching wireguard server or packets sent from cloak server to client not reaching wireguard client. I'm not sure if this indicates packets corruption while wireguard traffic is routed through cloak, and I would very much appreciate a second opinion on the subject.
kerem commented 2026-02-26 12:34:10 +03:00
Author
Owner
Copy link

@gmertes commented on GitHub (Dec 5, 2022):

Try adding MTU=1400 to the wg interface config (or a lower value like 1300 if that still doesn't work). Use 1280 if you're on ipv6.

<!-- gh-comment-id:1338379715 --> @gmertes commented on GitHub (Dec 5, 2022): Try adding `MTU=1400` to the wg interface config (or a lower value like 1300 if that still doesn't work). Use 1280 if you're on ipv6.
kerem commented 2026-02-26 12:34:10 +03:00
Author
Owner
Copy link

@Imfae commented on GitHub (Dec 8, 2022):

Try adding MTU=1400 to the wg interface config (or a lower value like 1300 if that still doesn't work). Use 1280 if you're on ipv6.

I tried lowering MTU to 1300, and the connectivity issue persisted.

<!-- gh-comment-id:1341890187 --> @Imfae commented on GitHub (Dec 8, 2022): > Try adding MTU=1400 to the wg interface config (or a lower value like 1300 if that still doesn't work). Use 1280 if you're on ipv6. I tried lowering MTU to 1300, and the connectivity issue persisted.
kerem commented 2026-02-26 12:34:10 +03:00
Author
Owner
Copy link

@stevepsunny commented on GitHub (Jan 24, 2026):

@Imfae Were you able to find the solution to this issue? I am facing a similar issue now.

<!-- gh-comment-id:3793877838 --> @stevepsunny commented on GitHub (Jan 24, 2026): @Imfae Were you able to find the solution to this issue? I am facing a similar issue now.
kerem commented 2026-02-26 12:34:10 +03:00
Author
Owner
Copy link

@Imfae commented on GitHub (Feb 7, 2026):

@Imfae Were you able to find the solution to this issue? I am facing a similar issue now.

Sorry for the late reply. No, I wasn't been able to solve it. I've switched to Shadowsocks + Cloak.

<!-- gh-comment-id:3863892730 --> @Imfae commented on GitHub (Feb 7, 2026): > [@Imfae](https://github.com/Imfae) Were you able to find the solution to this issue? I am facing a similar issue now. Sorry for the late reply. No, I wasn't been able to solve it. I've switched to Shadowsocks + Cloak.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/go-github.com-refraction-networking-utls-vulnerability
dependabot/go_modules/golang.org/x/crypto-0.45.0
utls-1.7.0
deps-20250430
padding
docker-tests
ptspec
legacy-v1
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1-pre
v2.7.0
v2.6.1
v2.6.0
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.2
v2.3.1
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.2
v2.0.1
v2.0.0
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.2.0
v0.1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Cloak#166
No description provided.