OpenVPN + Cloak

August 20, 2023

Cloak enhances traditional tools like OpenVPN to evade sophisticated censorship and data discrimination.

This is an introductory tutorial. If you would like to learn more about Cloak, visit its GitHub repository at https://github.com/cbeuw/Cloak.

Server

The server in the tutorial runs Ubuntu 22.04. The process will be similar on a Debian server. It is assumed that you are logged in as root.

Open ports tcp/80 and tcp/443 for Cloak. (You can, if you wish, change these ports in the Cloak server configuration file by changing the value of BindAddr.)

Install OpenVPN:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

chmod +x openvpn-install.sh

./openvpn-install.sh

When you are asked for the IP address, enter the public IP address of your server. You can use port 1194 for OpenVPN, since traffic will pass through Cloak before it reaches the OpenVPN server. Use protocol TCP for OpenVPN.

At the end of the script's run, you are prompted to choose a name for the client, e.g. xxxxxxxx. The script then generates a client configuration file named, for example, xxxxxxxx.ovpn.

Optionally reconfigure the OpenVPN server so that it listens on localhost only. This is optional because we assume you keep the firewall closed for port udp/1194. Edit your OpenVPN server configuration file, e.g. /etc/openvpn/server.conf. Make OpenVPN listen on localhost only by inserting a line:

local 127.0.0.1

Save the file. Restart OpenVPN server with your revised configuration:

systemctl restart openvpn@server

Download the latest release of Cloak and copy it to an executable directory:

wget https://github.com/cbeuw/Cloak/releases/download/v2.7.0/ck-server-linux-amd64-v2.7.0

cp ck-server-linux-amd64-v2.7.0 /usr/local/bin/ck-server

chmod +x /usr/local/bin/ck-server

Generate public and private keys:

ck-server -key

Give the public key to your users. The private key should be kept secret. You will copy the private key into your server configuration file in a moment.

Example public key:

Fl1lvohMZwGxuZTVkLFe5PyAWijtgRZPwvkq8/UVqXg=

Example private key:

GJic5FRzCDK3MozjBK2KoddMY7hFQDP2Qr9ZgKZliGQ=

Generate an initial user id:

ck-server -uid

Example user id:

sEy7bAYtNj8lv59lf0onJQ==

Create a configuration file:

mkdir ~/cloak

vi ~/cloak/ckserver.json

Use https://github.com/cbeuw/Cloak/tree/master/example_config as a model. Our example:

{
  "ProxyBook": {
    "openvpn": [
      "tcp",
      "127.0.0.1:1194"
    ]
  },
  "BindAddr": [
    ":443",
    ":80"
  ],
  "BypassUID": [
    "sEy7bAYtNj8lv59lf0onJQ=="
  ],
  "RedirAddr": "cloudflare.com",
  "PrivateKey": "GJic5FRzCDK3MozjBK2KoddMY7hFQDP2Qr9ZgKZliGQ=",
  "DatabasePath": "userinfo.db"
}

Change the BypassUID and PrivateKey to the user id and private key you just generated.

Run the Cloak server:

screen -S cloak

ck-server -c ~/cloak/ckserver.json

Do Ctrl+a then d to detach from the screen session in which Cloak is running.

ck-server is now listening on ports tcp/80 and tcp/443.

Your work on the server is completed.

exit

Client

Our client in this tutorial runs Windows.

Install the OpenVPN client from https://openvpn.net/community-downloads. For Windows you get an installer named OpenVPN-2.6.6-I001-amd64.msi, which you must run to install the Windows OpenVPN GUI client.

Download the client configuration file:

scp root@YOUR.SERVER.IP.ADDRESS:xxxxxxxx.ovpn Downloads

Do not import the client configuration file into the Windows OpenVPN GUI client just yet. You have to make a few changes to it. We will do that toward the end of the client set-up.

Before finalizing the OpenVPN configuration, we'll set up Cloak. Download the latest release of Cloak from https://github.com/cbeuw/Cloak/releases. For Windows the client is named ck-client-windows-amd64-v2.7.0.exe.

Obtain the server public key and your personal user id from the administrator of your server. In our example, the server public key is Fl1lvohMZwGxuZTVkLFe5PyAWijtgRZPwvkq8/UVqXg=, and your user id is sEy7bAYtNj8lv59lf0onJQ==.

Start with the client configuration file from https://github.com/cbeuw/Cloak/tree/master/example_config as a model. Enter your information. Our example:

{
  "Transport": "direct",
  "ProxyMethod": "openvpn",
  "EncryptionMethod": "chacha20-poly1305",
  "UID": "sEy7bAYtNj8lv59lf0onJQ==",
  "PublicKey": "Fl1lvohMZwGxuZTVkLFe5PyAWijtgRZPwvkq8/UVqXg=",
  "ServerName": "www.bing.com",
  "NumConn": 4,
  "BrowserSig": "chrome",
  "StreamTimeout": 300
}

Save this file as, for example, Downloads\\ckclient.json. If you are using Windows Notepad as your text editor, make sure Notepad does not add an extra .txt at the end of the file name.


    Open a Windows Command Prompt window. Run Cloak client from the command line:
    cd Downloads
    ren ck-client-windows-amd64-v2.7.0.exe ck-client.exe
    ck-client -c ckclient.json -s YOUR.SERVER.IP.ADDRESS

    Cloak listens on localhost port tcp/1984 for the OpenVPN client's input. Therefore you must change your client configuration file, Downloads\\xxxxxxxx.ovpn. The remote server appears to be on localhost. You must define a static route to the real server IP address.
    remote 127.0.0.1 1984
route YOUR.SERVER.IP.ADDRESS 255.255.255.255 net_gateway
    Save the .ovpn file.
    Now you can import the .ovpn file and connect to your OpenVPN server via Cloak.