Cloak Your Internet Traffic


From one month ago, my ISP implemented a mechanism to throttle any encrypted traffic on TCP or UDP and that upgrade affected my ShadowSocks Proxy which i use to tunnel my VPN and escape censorship.

ShadowSocks & VPN speed became very slow and connection became unstable.

After some investigation for alternative, i have found Cloak.

Cloak is an encrypted proxy utilize HTTPS as Transport Layer.

Cloak consist of two software packages

  • Cloak Proxy: Responsible for HTTPS transmission and mainly uses Plain encryption (No Encryption)
  • ShadowSocks Proxy: Responsible for encryption and tunneled throw Cloak proxy.

After implementing Cloak in my internal network as global proxy for the firewall (OPNSense), i have been able to bypass the ISP throttling because HTTPS throttling is very hard task for the ISP.

In this article i will explain how to setup Cloak in your network.

For more understanding about OPNSense & ShadowSocks review this article [OPNSENSE + NORDVPN + SHADOWSOCKS (ULTIMATE SECURITY)]


Technical Steps

1) Create new Linode VPS with Linux Debian Template (Guide)

Note: Linode cloud offer multiple plans (affect CPU,RAM,Traffic Quota, Inbound/Outbound Traffic Bandwidth) so choose what you need. the lowest price shared plan (5$) is very good plan and can meet a personal/home traffic needs.

2) Lets Install Clock Server on Linode VPS

  • First connect to the VPS you created using SSH with Root account.
  • Run this script on the VPS shell and follow the installer straight forward.
curl -o -L && bash

3) Confirm that Cloak and ShadowSocks installed successfully from Linux Services

4) Goto “/etc/cloak” on the server and take “shadowsocks.json” on your local machine for client setup later.

5) Lets setup the client on another machine in your internal network which will be used as proxy gateway.

  • Build a Ubuntu machine in your internal network or use existing machine.
  • Install the latest Cloak client on your Ubuntu machine
  • Create json file for client configuration and name it “ckclient.json” (use VIM Editor for that)
  • Use this below template to build your configuration, and the required data exist in “shadowsocks.json” we just downloaded earlier.
  "Transport": "direct",
  "ProxyMethod": "shadowsocks",
  "EncryptionMethod": "plain",
  "UID": "From ShadowSocks Json Server",
  "PublicKey": "From ShadowSocks Json Server",
  "ServerName": "From ShadowSocks Json Server",
  "NumConn": 4,
  "BrowserSig": "chrome",
  "StreamTimeout": 300,
  "KeepAlive": 5

6) To start the client you need to use this shell command. Note: modify your paths if required

/root/ck-client-linux-amd64-v2.5.4 -s [Remote IP] -p [Remote Port] -i [Local IP] -l [Local Port] -c /root/ckclient.json
  • [Remote IP] is the server IP on Linode
  • [Remote Port] is the server port. always is 443 to appear like HTTPS
  • [Local IP] is the local machine IP which exposed in your internal network. for example
  • [Local Port] is the local machine port which your internal ShadowSocks client will connect to in your internal network.

7) To confirm that your Cloak client is working after running the previous command, you have to see this lines on your shell

Starting standalone mode
Listening on TCP [Local IP]:[Local Port] for shadowsocks client
Attempting to start a new session
Session [Number] established

8) Now the last step is to connect your ShadowSocks client to your Cloak client. In this step i will show you my configuration on my OPNSense firewall but this configuration is the same in any ShadowSocks client

Congratulations, Now you can connect to your ShadowSocks proxy normally and Transmit your data over Cloak on HTTPS

Last thing, there are more optimizations for Cloak server & client for achieving more stealth, performance & autostart with OS, but in this article I’m explaining the basic steps for the beginners.

8 Comments on “Cloak Your Internet Traffic

    • Cloak utilizes HTTPS protocol, ShadowSocks utilizes TCP
      so Cloak is more obfuscated and that gives you more firewalls penetration.


  1. Hello Roofman! Thank you for your awesome script. It really is great when the powerusers step up to help make getting important services like these in the hands of newbiwes. Thank you very much!

    I have a couple of questions to ask if I may:

    1. I verified that the cCloak service is running on the server, however I seem to be getting a few error messages, I don’t know how to correct these kinds of issues. Error messages are:
    ck-server[686]: time=”2023-02-04T04:01:10Z” level=warning msg=”failed to unmarshal hidden data from WS into authFragments: >
    ck-server[686]: time=”2023-02-04T04:01:10Z” level=warning msg=”decryption/authentication faliure: cipher: message authentic>
    ck-server[686]: time=”2023-02-04T06:40:18Z” level=warning msg=”failed to unmarshal ClientHello into authFragments: malforme>
    ck-server[686]: time=”2023-02-04T06:49:58Z” level=warning msg=”non (or malformed) ClientHello” UID= encryptionMethod=0 prox>
    ck-server[686]: time=”2023-02-04T06:52:28Z” level=warning msg=”failed to unmarshal ClientHello into authFragments: malforme>

    2. I cannot seem to get a complete client install on my Windows machine. I confirmed that the OpenVPN service work perfectly though. The tutorials don’t seem to mention where to place the json script after it has been modified.

    3. I do not know how to confirm if the Cloak servixce is running on the Windows machine.

    Any help you can provide in this regard would be deeply appreciated. Thank you again!


    • Hey Yu Zheng, I noticed your post and I’m wondering if you’ve had any experience setting up a cloud server for cloak and shadowsocks. If so, could you let me know which cloud provider you’re using? This information would be really helpful in case we need to troubleshoot anything together in the future.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: