starred/Cloak
1
0
Fork 0
mirror of https://github.com/cbeuw/Cloak.git synced 2026-04-26 04:55:58 +03:00
Code Issues 144 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #220] Question about EncryptionMethod for wireguard traffic #178

New issue
Closed
opened 2026-02-26 12:34:11 +03:00 by kerem · 4 comments
kerem commented 2026-02-26 12:34:11 +03:00
Owner
Copy link

Originally created by @bingzhangdai on GitHub (Mar 26, 2023).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/220

I have already successfully run wireguard with cloak. From the wiki,

You must not leave EncryptionMethod as plain in Cloak client's configuration file because OpenVPN gives out fingerprint. Change it to aes-gcm or chacha20-poly1305

I am wondering if it also holds true for wireguard. Now I leave the EncryptionMethod as plain.

Originally created by @bingzhangdai on GitHub (Mar 26, 2023). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/220 I have already successfully run wireguard with cloak. From the wiki, ``` You must not leave EncryptionMethod as plain in Cloak client's configuration file because OpenVPN gives out fingerprint. Change it to aes-gcm or chacha20-poly1305 ``` I am wondering if it also holds true for wireguard. Now I leave the EncryptionMethod as plain.
kerem closed this issue 2026-02-26 12:34:11 +03:00
kerem commented 2026-02-26 12:34:12 +03:00
Author
Owner
Copy link

@valerius2k commented on GitHub (May 3, 2023):

The intention of EncryptionMethod is to hide fingerprints of an underlying proxy. WG should have its own fingerprint too. So if you set EncryptionMethod to plain, the fingerprint will be exposed and your ISP could detect and block it. The data stream has no definite fingerprint only if its data looks like a white noise. But AFAIK it's not so with WG. WG is very good detectable and is blocked more often than other VPN protocols.

<!-- gh-comment-id:1532554310 --> @valerius2k commented on GitHub (May 3, 2023): The intention of EncryptionMethod is to hide fingerprints of an underlying proxy. WG should have its own fingerprint too. So if you set EncryptionMethod to plain, the fingerprint will be exposed and your ISP could detect and block it. The data stream has no definite fingerprint only if its data looks like a white noise. But AFAIK it's not so with WG. WG is very good detectable and is blocked more often than other VPN protocols.
kerem commented 2026-02-26 12:34:12 +03:00
Author
Owner
Copy link

@bingzhangdai commented on GitHub (May 3, 2023):

@valerius2k Thanks for your clarification. It is truly clear!

<!-- gh-comment-id:1532577567 --> @bingzhangdai commented on GitHub (May 3, 2023): @valerius2k Thanks for your clarification. It is truly clear!
kerem commented 2026-02-26 12:34:12 +03:00
Author
Owner
Copy link

@INNKCake commented on GitHub (Aug 7, 2023):

@bingzhangdai can you share a configuration/guide for Wireguard?

<!-- gh-comment-id:1667865864 --> @INNKCake commented on GitHub (Aug 7, 2023): @bingzhangdai can you share a configuration/guide for Wireguard?
kerem commented 2026-02-26 12:34:12 +03:00
Author
Owner
Copy link

@bingzhangdai commented on GitHub (Aug 7, 2023):

First, you should set up the wireguard by following the official guide.

Suppose you have exposed your wireguard port 500/udp on the server. Your cloak is also deployed on the same server. You can use the following conf to redirect 500/udp to localhost:500/udp.
on the server

{
    "ProxyBook": {
        "wireguard": [
            "udp",
            "127.0.0.1:500"
        ]
    },
    "BypassUID": [
        "xxx"
    ],
    "RedirAddr": "xxx",
    "PrivateKey": "xxx",
    "AdminUID": "xxx"
}

on the client

{
    "Transport": "direct",
    "ProxyMethod": "wireguard",
    "EncryptionMethod": "chacha20-poly1305",
    "UID": "xxx",
    "PublicKey": "xxx",
    "ServerName": "cn.bing.com",
    "NumConn": 1,
    "BrowserSig": "chrome",
    "StreamTimeout": 300,
    "KeepAlive": 0
}

Then you can run ck-client -c ck-client.json -u -s serverip -l 500 on your machine. Thus redirect the server:500/udp to localhost:500/udp. Hope this helps.

<!-- gh-comment-id:1667950291 --> @bingzhangdai commented on GitHub (Aug 7, 2023): First, you should set up the wireguard by following the official guide. Suppose you have exposed your wireguard port 500/udp on the server. Your cloak is also deployed on the same server. You can use the following conf to redirect 500/udp to localhost:500/udp. on the server ```json { "ProxyBook": { "wireguard": [ "udp", "127.0.0.1:500" ] }, "BypassUID": [ "xxx" ], "RedirAddr": "xxx", "PrivateKey": "xxx", "AdminUID": "xxx" } ``` on the client ```json { "Transport": "direct", "ProxyMethod": "wireguard", "EncryptionMethod": "chacha20-poly1305", "UID": "xxx", "PublicKey": "xxx", "ServerName": "cn.bing.com", "NumConn": 1, "BrowserSig": "chrome", "StreamTimeout": 300, "KeepAlive": 0 } ``` Then you can run `ck-client -c ck-client.json -u -s serverip -l 500` on your machine. Thus redirect the server:500/udp to localhost:500/udp. Hope this helps.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/go-github.com-refraction-networking-utls-vulnerability
dependabot/go_modules/golang.org/x/crypto-0.45.0
utls-1.7.0
deps-20250430
padding
docker-tests
ptspec
legacy-v1
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1-pre
v2.7.0
v2.6.1
v2.6.0
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.2
v2.3.1
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.2
v2.0.1
v2.0.0
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.2.0
v0.1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Cloak#178
No description provided.