starred/Cloak
1
0
Fork 0
mirror of https://github.com/cbeuw/Cloak.git synced 2026-04-28 22:15:57 +03:00
Code Issues 144 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #96] 'ck-client -u' crashes with "NumConn": 4 #87

New issue
Closed
opened 2026-02-26 12:33:56 +03:00 by kerem · 10 comments
kerem commented 2026-02-26 12:33:56 +03:00
Owner
Copy link

Originally created by @Klaaktu on GitHub (Feb 6, 2020).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/96

It's an old issue but still happens on latest version (2.1.3).
Tested both OpenVPN (plain text mode) and WireGuard, only "NumConn": 1 works in UDP mode.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x50 pc=0x68bf48]

goroutine 1 [running]:
github.com/cbeuw/Cloak/internal/multiplex.(*switchboard).send.func1(0x0, 0x0, 0xc000186000, 0x33, 0x4268, 0x0, 0x5, 0x4263)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/switchboard.go:65 +0x48
github.com/cbeuw/Cloak/internal/multiplex.(*switchboard).send(0xc000154000, 0xc000186000, 0x33, 0x4268, 0xc000170140, 0x0, 0x0, 0x0)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/switchboard.go:85 +0x193
github.com/cbeuw/Cloak/internal/multiplex.(*Stream).Write(0xc0001700e0, 0xc0000de000, 0x10, 0x2800, 0x0, 0x0, 0x0)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/stream.go:110 +0x1c1
main.routeUDP(0xc0000d6000, 0x0, 0x0, 0x0)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/cmd/ck-client/ck-client.go:127 +0x4ca
main.main()
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/cmd/ck-client/ck-client.go:343 +0xb5d

Client config:

{
"Transport": "direct",
"ProxyMethod": "openvpn",
"EncryptionMethod": "aes-gcm",
"UID": "",
"PublicKey": "",
"ServerName": "www.bing.com",
"NumConn": 4,
"BrowserSig": "firefox",
"StreamTimeout": 300
}

Also is it ok to run OpenVPN in plain text mode to avoid double encryption?
Is "StreamTimeout" idle connection timeout? Can I make it super long to make it only close connection when I Ctrl+C the client like what Shadowsocks recently did?

Originally created by @Klaaktu on GitHub (Feb 6, 2020). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/96 It's an old issue but still happens on latest version (2.1.3). Tested both OpenVPN (plain text mode) and WireGuard, only `"NumConn": 1` works in UDP mode. ``` panic: runtime error: invalid memory address or nil pointer dereference [signal 0xc0000005 code=0x0 addr=0x50 pc=0x68bf48] goroutine 1 [running]: github.com/cbeuw/Cloak/internal/multiplex.(*switchboard).send.func1(0x0, 0x0, 0xc000186000, 0x33, 0x4268, 0x0, 0x5, 0x4263) C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/switchboard.go:65 +0x48 github.com/cbeuw/Cloak/internal/multiplex.(*switchboard).send(0xc000154000, 0xc000186000, 0x33, 0x4268, 0xc000170140, 0x0, 0x0, 0x0) C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/switchboard.go:85 +0x193 github.com/cbeuw/Cloak/internal/multiplex.(*Stream).Write(0xc0001700e0, 0xc0000de000, 0x10, 0x2800, 0x0, 0x0, 0x0) C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/stream.go:110 +0x1c1 main.routeUDP(0xc0000d6000, 0x0, 0x0, 0x0) C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/cmd/ck-client/ck-client.go:127 +0x4ca main.main() C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/cmd/ck-client/ck-client.go:343 +0xb5d ``` Client config: >{ "Transport": "direct", "ProxyMethod": "openvpn", "EncryptionMethod": "aes-gcm", "UID": "", "PublicKey": "", "ServerName": "www.bing.com", "NumConn": 4, "BrowserSig": "firefox", "StreamTimeout": 300 } Also is it ok to run OpenVPN in plain text mode to avoid double encryption? Is "StreamTimeout" idle connection timeout? Can I make it super long to make it only close connection when I Ctrl+C the client like [what Shadowsocks recently did](https://github.com/shadowsocks/shadowsocks-libev/blob/715f26e285787058e67ad3a868ed8e66362425a2/debian/config.json#L6)?
kerem closed this issue 2026-02-26 12:33:56 +03:00
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Klaaktu commented on GitHub (Apr 26, 2020):

This issue is fixed in master, yay.

Tho OpenVPN seems to be very slow or unable to connect perhaps due to this:

level=info msg="forcefully terminating user" UID="..." reason="no session left"

Edit: nvm, it's my shadowsocks session it was closing.

<!-- gh-comment-id:619638587 --> @Klaaktu commented on GitHub (Apr 26, 2020): This issue is fixed in master, yay. Tho OpenVPN seems to be very slow or unable to connect perhaps due to this: > ~~level=info msg="forcefully terminating user" UID="..." reason="no session left"~~ Edit: nvm, it's my shadowsocks session it was closing.
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Klaaktu commented on GitHub (Apr 28, 2020):

It's the build from current master (2.1.3 UDP works fine), TCP mode works very well.
Tho TCP/UDP in OpenVPN probably doesn't matter since the connection in the middle is replaced with Cloak's TCP.

<!-- gh-comment-id:620907203 --> @Klaaktu commented on GitHub (Apr 28, 2020): It's the build from current master (2.1.3 UDP works fine), TCP mode works very well. Tho TCP/UDP in OpenVPN probably doesn't matter since the connection in the middle is replaced with Cloak's TCP.
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Weeka89 commented on GitHub (May 14, 2020):

@klaaktu I'm trying to use wireguard through cloak do u mind sharing your steps/config on how to get it done.

<!-- gh-comment-id:628322216 --> @Weeka89 commented on GitHub (May 14, 2020): @klaaktu I'm trying to use wireguard through cloak do u mind sharing your steps/config on how to get it done.
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Klaaktu commented on GitHub (May 14, 2020):

@Weeka89 I'm not using WireGuard atm so I don't remember everything, tho the steps are very similar to OpenVPN:
"Endpoint" is ck-client's listening address. In my testing ck-client must be on another PC because of this error in WireGuard.
Failed to send data packet write udp4 0.0.0.0:53457->127.0.0.1:1984: wsasendto: The requested address is not valid in its context.
Uncheck "kill-switch" in WireGuard Windows client's config settings, so it can send data to ck-client. It's not necessary unless they are on the same machine.
UDP doesn't seem to be working in 2.2.0.
Enable forwarding in server.

<!-- gh-comment-id:628510974 --> @Klaaktu commented on GitHub (May 14, 2020): @Weeka89 I'm not using WireGuard atm so I don't remember everything, tho the steps are very similar to OpenVPN: "Endpoint" is ck-client's listening address. In my testing ck-client must be on another PC because of this error in WireGuard. ` Failed to send data packet write udp4 0.0.0.0:53457->127.0.0.1:1984: wsasendto: The requested address is not valid in its context. ` ~~Uncheck "kill-switch" in WireGuard Windows client's config settings, so it can send data to ck-client.~~ It's not necessary unless they are on the same machine. UDP doesn't seem to be working in 2.2.0. Enable forwarding in server.
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Klaaktu commented on GitHub (May 14, 2020):

WireGuard, server

[Interface]
Address = 10.0.0.1/24, ****:000a/127
PrivateKey = ****
ListenPort = ****

PostUp = sysctl net.ipv6.conf.eth0.proxy_ndp=1; ip -6 neigh add proxy ****:000b dev eth0

[Peer]
PublicKey = ****
AllowedIPs = 10.0.0.2/32, ****:000b/128

****:000a & b are unoccupied IPv6 addresses from the server, prefix length 127 because DigitalOcean gives 16 IPs instead of /64 prefix. And their IPv6 is also non-routed thus the ndp-proxy in PostUp. net.ipv6.conf.eth0.proxy_ndp=1 doesn't work if put in sysctl.conf unless it's all interface, because Ubuntu... so it's here.
WireGuard doesn't seem to have the option to listen on localhost only for incoming traffic.
IPv4 NAT is done in nftables.

WireGuard, client

[Interface]
PrivateKey = ****
Address = 10.0.0.2/24, ****:000b/127
DNS = 192.168.1.2

[Peer]
PublicKey = ****
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = 192.168.1.2:1984

192.168.1.2 is a second PC running ck-client and dnscrypt-proxy.
Writing "AllowedIPs" like that unchecks the "kill-switch" automatically iirc.

nftables

table inet filter {
	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		iifname "wg-server" accept
		iifname "tun0" accept
		oifname "wg-server" accept
		oifname "tun0" accept
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth0" ip saddr 10.0.0.0/24 masquerade
		oifname "eth0" ip saddr 10.8.0.0/24 masquerade
	}
}

sysctl.conf

# Accept IPv6 advertisements when forwarding is enabled
net.ipv6.conf.all.accept_ra = 2

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
<!-- gh-comment-id:628540375 --> @Klaaktu commented on GitHub (May 14, 2020): WireGuard, server ``` [Interface] Address = 10.0.0.1/24, ****:000a/127 PrivateKey = **** ListenPort = **** PostUp = sysctl net.ipv6.conf.eth0.proxy_ndp=1; ip -6 neigh add proxy ****:000b dev eth0 [Peer] PublicKey = **** AllowedIPs = 10.0.0.2/32, ****:000b/128 ``` ****:000a & b are unoccupied IPv6 addresses from the server, prefix length 127 because DigitalOcean gives 16 IPs instead of /64 prefix. And their IPv6 is also non-routed thus the ndp-proxy in PostUp. `net.ipv6.conf.eth0.proxy_ndp=1` doesn't work if put in sysctl.conf unless it's `all` interface, because Ubuntu... so it's here. WireGuard doesn't seem to have the option to listen on localhost only for incoming traffic. IPv4 NAT is done in nftables. WireGuard, client ``` [Interface] PrivateKey = **** Address = 10.0.0.2/24, ****:000b/127 DNS = 192.168.1.2 [Peer] PublicKey = **** AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 Endpoint = 192.168.1.2:1984 ``` 192.168.1.2 is a second PC running ck-client and dnscrypt-proxy. Writing "AllowedIPs" like that unchecks the "kill-switch" automatically iirc. nftables ``` table inet filter { chain FORWARD { type filter hook forward priority filter; policy drop; iifname "wg-server" accept iifname "tun0" accept oifname "wg-server" accept oifname "tun0" accept } } table ip nat { chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "eth0" ip saddr 10.0.0.0/24 masquerade oifname "eth0" ip saddr 10.8.0.0/24 masquerade } } ``` sysctl.conf ``` # Accept IPv6 advertisements when forwarding is enabled net.ipv6.conf.all.accept_ra = 2 net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 ```
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Klaaktu commented on GitHub (May 14, 2020):

Cloak, server

{
  "ProxyBook": {
    "shadowsocks": [
      "tcp",
      "[::1]:8388"
    ],
    "openvpn": [
      "tcp",
      "[::1]:1194"
    ],
    "wireguard": [
      "udp",
      "[::1]:****"
    ]
  },
  "BindAddr": [
    ":443",
    ":80"
  ],
  "BypassUID": [
  ],
  "RedirAddr": "****",
  "PrivateKey": "****",
  "AdminUID": "****",
  "DatabasePath": "/opt/Cloak/userinfo.db",
  "StreamTimeout": 300
}

Cloak, client

{
  "Transport": "direct",
  "ProxyMethod": "wireguard",
  "EncryptionMethod": "aes-gcm",
  "UID": "****",
  "PublicKey": "****",
  "ServerName": "****",
  "NumConn": 4,
  "BrowserSig": "chrome",
  "StreamTimeout": 300,
  "UDP": true
}

Change to "NumConn": 1 and use -u in command line instead of "UDP": true if using 2.1.3 .
WireGuard also seem to have fingerprint, so EncryptionMethod is not plain. (Vanilla WireGuard does get blocked by GFW fairly swiftly.)

<!-- gh-comment-id:628554355 --> @Klaaktu commented on GitHub (May 14, 2020): Cloak, server ``` { "ProxyBook": { "shadowsocks": [ "tcp", "[::1]:8388" ], "openvpn": [ "tcp", "[::1]:1194" ], "wireguard": [ "udp", "[::1]:****" ] }, "BindAddr": [ ":443", ":80" ], "BypassUID": [ ], "RedirAddr": "****", "PrivateKey": "****", "AdminUID": "****", "DatabasePath": "/opt/Cloak/userinfo.db", "StreamTimeout": 300 } ``` Cloak, client ``` { "Transport": "direct", "ProxyMethod": "wireguard", "EncryptionMethod": "aes-gcm", "UID": "****", "PublicKey": "****", "ServerName": "****", "NumConn": 4, "BrowserSig": "chrome", "StreamTimeout": 300, "UDP": true } ``` Change to `"NumConn": 1` and use `-u` in command line instead of `"UDP": true` if using 2.1.3 . [WireGuard also seem to have fingerprint](https://lists.zx2c4.com/pipermail/wireguard/2018-September/003289.html), so EncryptionMethod is not plain. (Vanilla WireGuard does get blocked by GFW fairly swiftly.)
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@gokaybiz commented on GitHub (Jul 19, 2021):

@klaaktu Hey, how can u handle
route SERVERIP 255.255.255.255 net_gateway
route 192.168.0.0 255.255.0.0 net_gateway
section in wireguard client?
I got failed to establish new connection to remote: dial tcp *****... error.

EDIT: When i remove UDP: true field from config, I got "error reading first packet: read error after connection is established"

<!-- gh-comment-id:882569599 --> @gokaybiz commented on GitHub (Jul 19, 2021): @klaaktu Hey, how can u handle route SERVERIP 255.255.255.255 net_gateway route 192.168.0.0 255.255.0.0 net_gateway section in wireguard client? I got failed to establish new connection to remote: dial tcp *****... error. EDIT: When i remove UDP: true field from config, I got "error reading first packet: read error after connection is established"
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Klaaktu commented on GitHub (Jul 19, 2021):

@gokaybiz
I used WireGuard Windows client which automatically sets up routing (In Linux there is wg-quick which sets ip rules).
I think SERVERIP as Endpoint and exclude 192.168.0.0/16 in AllowedIPs should suffice.
(Though if using Cloak, SERVERIP shouldn't be the public address of the server but ck-client listening address, and ck-client can't be on the same PC as WG)

<!-- gh-comment-id:882637996 --> @Klaaktu commented on GitHub (Jul 19, 2021): @gokaybiz I used WireGuard Windows client which automatically sets up routing (In Linux there is wg-quick which sets ip rules). I think `SERVERIP` as `Endpoint` and exclude 192.168.0.0/16 in `AllowedIPs` should suffice. (Though if using Cloak, `SERVERIP` shouldn't be the public address of the server but ck-client listening address, and ck-client can't be on the same PC as WG)
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@gokaybiz commented on GitHub (Oct 2, 2021):

@gokaybiz I used WireGuard Windows client which automatically sets up routing (In Linux there is wg-quick which sets ip rules). I think SERVERIP as Endpoint and exclude 192.168.0.0/16 in AllowedIPs should suffice. (Though if using Cloak, SERVERIP shouldn't be the public address of the server but ck-client listening address, and ck-client can't be on the same PC as WG)

Why we can't use on same pc?
I tried to exclude my server's ip.
But Wireguard couldn't do handshake.

WHY?

Here is some log from ck-client:

INFO[0000] Starting standalone mode
INFO[2021-10-02T18:16:39Z] Listening on UDP 127.0.0.1:1984 for wg client
INFO[2021-10-02T18:16:41Z] Attempting to start a new session
TRACE[2021-10-02T18:16:41Z] client hello sent successfully
TRACE[2021-10-02T18:16:42Z] waiting for ServerHello
TRACE[2021-10-02T18:16:42Z] client hello sent successfully
TRACE[2021-10-02T18:16:42Z] waiting for ServerHello
DEBUG[2021-10-02T18:16:42Z] All underlying connections established
DEBUG[2021-10-02T18:16:42Z] Connection is unordered
INFO[2021-10-02T18:16:42Z] Session 123123123 established
TRACE[2021-10-02T18:16:42Z] stream 1 of session 123123123 opened
TRACE[2021-10-02T18:16:42Z] 544 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 656 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 768 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 92 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 208 read from stream 1 with err <nil>

@cbeuw ?

<!-- gh-comment-id:932797813 --> @gokaybiz commented on GitHub (Oct 2, 2021): > @gokaybiz I used WireGuard Windows client which automatically sets up routing (In Linux there is wg-quick which sets ip rules). I think `SERVERIP` as `Endpoint` and exclude 192.168.0.0/16 in `AllowedIPs` should suffice. (Though if using Cloak, `SERVERIP` shouldn't be the public address of the server but ck-client listening address, and ck-client can't be on the same PC as WG) Why we can't use on same pc? I tried to exclude my server's ip. But Wireguard couldn't do handshake. WHY? Here is some log from ck-client: ``` INFO[0000] Starting standalone mode INFO[2021-10-02T18:16:39Z] Listening on UDP 127.0.0.1:1984 for wg client INFO[2021-10-02T18:16:41Z] Attempting to start a new session TRACE[2021-10-02T18:16:41Z] client hello sent successfully TRACE[2021-10-02T18:16:42Z] waiting for ServerHello TRACE[2021-10-02T18:16:42Z] client hello sent successfully TRACE[2021-10-02T18:16:42Z] waiting for ServerHello DEBUG[2021-10-02T18:16:42Z] All underlying connections established DEBUG[2021-10-02T18:16:42Z] Connection is unordered INFO[2021-10-02T18:16:42Z] Session 123123123 established TRACE[2021-10-02T18:16:42Z] stream 1 of session 123123123 opened TRACE[2021-10-02T18:16:42Z] 544 read from stream 1 with err <nil> TRACE[2021-10-02T18:16:42Z] 656 read from stream 1 with err <nil> TRACE[2021-10-02T18:16:42Z] 768 read from stream 1 with err <nil> TRACE[2021-10-02T18:16:42Z] 92 read from stream 1 with err <nil> TRACE[2021-10-02T18:16:42Z] 208 read from stream 1 with err <nil> ``` @cbeuw ?
kerem commented 2026-02-26 12:33:56 +03:00
Author
Owner
Copy link

@Klaaktu commented on GitHub (Oct 3, 2021):

Does WireGuard say...?

Failed to send data packet write udp4 0.0.0.0:53457->127.0.0.1:1984: wsasendto: The requested address is not valid in its context.

I vaguely remember the explanation "localhost interface is not valid" somewhere. However the answer I get from search now is to set the Endpoint to IP address of the machine (private/public but not 127.0.0.1) due to "strong host model".
I'm currently using shadowsocks (hard to connect atm...) tproxy/tun to avoid double tunnel, so I don't have Wireguard set up to test it.

<!-- gh-comment-id:932916817 --> @Klaaktu commented on GitHub (Oct 3, 2021): Does WireGuard say...? > Failed to send data packet write udp4 0.0.0.0:53457->127.0.0.1:1984: wsasendto: The requested address is not valid in its context. I vaguely remember the explanation "localhost interface is not valid" somewhere. However the answer I get from search now is to set the `Endpoint` to IP address of the machine (private/public but not 127.0.0.1) due to "strong host model". I'm currently using shadowsocks (hard to connect atm...) tproxy/tun to avoid double tunnel, so I don't have Wireguard set up to test it.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/go-github.com-refraction-networking-utls-vulnerability
dependabot/go_modules/golang.org/x/crypto-0.45.0
utls-1.7.0
deps-20250430
padding
docker-tests
ptspec
legacy-v1
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1-pre
v2.7.0
v2.6.1
v2.6.0
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.2
v2.3.1
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.2
v2.0.1
v2.0.0
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.2.0
v0.1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Cloak#87
No description provided.