Cloak: TLS obfuscation for self-host VPN in 2026

Affiliate disclosure — This article contains Contabo affiliate links. If you order a VPS via our links, we earn a commission at no extra cost to you. Every config is production-tested.

Cloak is a TLS obfuscation tool that sits in front of an existing tunnel (WireGuard, OpenVPN, Shadowsocks) and turns it into what looks exactly like an HTTPS site. When a DPI inspects your server, it sees a valid TLS 1.3 handshake with a Let's Encrypt certificate — and here's the trick — if the session is NOT a valid Cloak client, the server redirects it to a real website (usually bing.com or wikipedia.org).

So Cloak is an obfuscation layer to add on top of an already-working VPN. That's its key difference vs V2Ray (a complete VPN protocol) or wstunnel (just a simple WebSocket tunnel). Cloak assumes you already run WireGuard or Shadowsocks, and you want to make them undetectable.

This guide covers installing Cloak on a Contabo VPS, integrating with WireGuard and Shadowsocks, performance benchmarks, and when Cloak is the right pick vs V2Ray REALITY or wstunnel.

How Cloak works

The technical pitch:

1. Cloak server listens on port 443 and runs a fake TLS 1.3 server with a Let's Encrypt cert (or self-signed).
2. A Cloak client opens a standard TLS connection with a shared secret hidden in the ClientHello (TLS extension).
3. The Cloak server detects the secret, unmasks the client, and opens a tunnel to the configured backend (WireGuard 127.0.0.1:51820, for example).
4. If a session is NOT a valid Cloak client (GFW probe, random scanner), the server transparently proxies it to RedirAddr (typically www.bing.com:443). The client sees the real Bing page — no error, no 404, no "weird response".

From a DPI's point of view:

• TCP 443 traffic toward a residential domain = normal.
• Let's Encrypt cert = legitimate.
• If probed: it lands on a real site (Bing) → it is NOT a VPN endpoint.

It's conceptually close to REALITY (Xray-core), but Cloak has existed since 2018 (REALITY since 2023), and its design is more "defensive": it actively refuses to respond like a VPN endpoint.

Server install on Contabo

Contabo VPS S (€4.99/month, see deal) on Ubuntu 24.04 LTS. Prerequisite: you already have a local WireGuard or Shadowsocks running (127.0.0.1:51820 or 127.0.0.1:8443).

Step 1 — Get Cloak

CLOAK_VER="2.7.0"  # check latest on github.com/cbeuw/Cloak/releases
cd /tmp
wget "https://github.com/cbeuw/Cloak/releases/download/v${CLOAK_VER}/ck-server-linux-amd64-v${CLOAK_VER}"
wget "https://github.com/cbeuw/Cloak/releases/download/v${CLOAK_VER}/ck-client-linux-amd64-v${CLOAK_VER}"
chmod +x ck-server-* ck-client-*
mv ck-server-* /usr/local/bin/ck-server
mv ck-client-* /usr/local/bin/ck-client

Step 2 — Generate a server keypair

ck-server -k
# Public key: ...
# Private key: ...

Save both. The public key will be embedded in the client config.

Step 3 — Generate user UIDs

ck-server -u
# 7tCcGUcUyzM7tCcGUcUyzM=
# 9wEeIWeRtFE9wEeIWeRtFE=

Generate as many UIDs as users. Each UID = one client. If a UID leaks, you can revoke it individually.

Step 4 — Server config /etc/cloak/ckserver.json

{
  "ProxyBook": {
    "wireguard": ["udp", "127.0.0.1:51820"],
    "shadowsocks": ["tcp", "127.0.0.1:8443"]
  },
  "BindAddr": [":443"],
  "BypassUID": [
    "7tCcGUcUyzM7tCcGUcUyzM=",
    "9wEeIWeRtFE9wEeIWeRtFE="
  ],
  "RedirAddr": "www.bing.com",
  "PrivateKey": "YOUR_PRIVATE_KEY_FROM_-k",
  "AdminUID": "OPTIONAL-ADMIN-UID=",
  "DatabasePath": "/var/lib/cloak/userinfo.db",
  "StreamTimeout": 300
}

Important fields:

• ProxyBook: the backend list. A session can route to wireguard or shadowsocks based on what the client requests.
• BindAddr: :443 for the public port.
• BypassUID: UIDs with no quota/restrictions (admin/power users).
• RedirAddr: where we redirect invalid sessions. Critical for camouflage — pick a popular site not blacklisted in the target zone (bing.com, wikipedia.org, github.com are OK almost everywhere).
• PrivateKey: the server key (generated in step 2).

Step 5 — Systemd service

/etc/systemd/system/cloak.service:

[Unit]
Description=Cloak server
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/ck-server -c /etc/cloak/ckserver.json
Restart=always
RestartSec=5
User=nobody
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl enable --now cloak
journalctl -u cloak -f

At this stage your VPS responds on :443:

• To valid Cloak clients → tunnel to local WireGuard or Shadowsocks.
• To anything else (curl, scanners, GFW probes) → returns the www.bing.com content.

Test from outside: curl -L https://your-ip must show Bing's HTML. No Cloak mention. No errors. Perfect camouflage.

Client configuration: Linux, Windows, Android

The Cloak client (ck-client) takes a JSON config similar to the server.

Linux client ~/cloak/ckclient.json:

{
  "Transport": "direct",
  "ProxyMethod": "wireguard",
  "EncryptionMethod": "aes-gcm",
  "UID": "7tCcGUcUyzM7tCcGUcUyzM=",
  "PublicKey": "SERVER_PUBLIC_KEY",
  "ServerName": "www.microsoft.com",
  "NumConn": 4,
  "BrowserSig": "chrome",
  "StreamTimeout": 300,
  "RemoteHost": "your-ip-or-domain",
  "RemotePort": 443,
  "LocalHost": "127.0.0.1",
  "LocalPort": 51820
}

Important fields:

• ProxyMethod: must match a ProxyBook name server-side (wireguard here).
• UID: the UID given by the admin (yours in BypassUID).
• PublicKey: server's public key.
• ServerName: the SNI the client sends in the TLS handshake. Should look like a realistic site (Microsoft, Cloudflare, etc.).
• NumConn: 4 parallel connections to saturate throughput (recommended).
• BrowserSig: TLS signature to mimic (chrome or firefox). Avoid safari which has a distinct signature.
• LocalPort: local port WireGuard will point its Endpoint to.

Launch:

ck-client -c ~/cloak/ckclient.json &

Then bring WireGuard up with Endpoint = 127.0.0.1:51820 instead of the public IP:

[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = 127.0.0.1:51820

Windows: ck-client.exe from the releases page. Scheduled task for autostart. Official WireGuard app pointing to 127.0.0.1:51820.

Android: ck-client-android-arm64 exists on the releases page, but no native UI. Pragmatic path: use OpenVPN for Android which supports plugins, or wireguard-android + Termux to run ck-client in background. More complex than V2Ray (which has native v2rayNG). If mobile-first matters, look at V2Ray + VLess REALITY instead.

Measured performance

Real benchmarks, Contabo VPS S Nuremberg, residential gigabit fiber client in Paris, median 10 sessions, April 2026.

Cloak in direct TLS mode (no extra WebSocket) is faster than WS+TLS — consistent with less protocol overhead.

Vs V2Ray + VLess REALITY (another borrowed-cert approach): Cloak is slightly less performant (130 Mbps vs 155 Mbps), because REALITY uses XTLS Vision (optimized single-encryption) while Cloak does standard TLS. The difference is modest in practice.

Use cases where Cloak excels

1. You already have a self-host WireGuard and just want to add an obfuscation layer. Migration in 30 minutes, no WireGuard config rewrite. You start ck-server, add Endpoint = 127.0.0.1:51820 client-side, done.

2. Multi-user with per-UID revocation. If you host for 5 friends or coworkers, each UID is independent — revoking a user = removing their UID from BypassUID, the tunnel stops.

3. Iran, Turkey, UAE, Russia. Cloak passes very well on these DPIs. Local users confirm stable connections over weeks. For mainland China, see Xray-core + REALITY instead (our V2Ray guide).

4. Defensive camouflage against server inspection. If someone (ISP admin, authority) scans your VPS and does curl https://your-ip, they see Bing — not a suspicious VPN endpoint. Useful for plausible deniability, though not absolute.

Cases where Cloak isn't the best pick

1. You want a mobile-first setup. The Cloak mobile client ecosystem is weak (no v2rayNG-equivalent). For mobile, V2Ray + VLess with v2rayNG or Shadowrocket is significantly simpler.

2. You deploy for 50+ users with per-user quotas. Cloak manages UIDs and has basic quotas, but V2Ray has a more mature ecosystem (admin APIs, dashboards like x-ui).

3. You specifically target mainland China, in 2026. The GFW made progress against Cloak in 2024-2025. REALITY (Xray-core) is more robust today. Cloak is still OK but not the top.

4. You want to switch protocols often (SS one day, WG the next, OpenVPN after). Cloak can route to multiple backends, but V2Ray/Xray handles that more elegantly in a single config.

Hardening

1. Strong random UIDs. Always use ck-server -u (official generator) — no hand-rolled UIDs. Otherwise entropy bias that may be detected.

2. Real Let's Encrypt cert. Instead of the default self-signed cert, configure Cloak to use a Let's Encrypt cert via acme.sh:

acme.sh --issue -d cdn.yourdomain.com --standalone --httpport 8080
acme.sh --install-cert -d cdn.yourdomain.com \
  --key-file /etc/cloak/server.key \
  --fullchain-file /etc/cloak/server.crt \
  --reloadcmd "systemctl reload cloak"

Then in ckserver.json, set the cert paths via the TLS options (see Cloak docs).

3. fail2ban on Cloak logs. Invalid sessions appear in journalctl -u cloak. Create a fail2ban filter that bans after 20 invalid attempts in 60s.

4. Rotate UIDs every quarter. Every 3 months, rotate user UIDs. This complicates the life of an attacker who would have exfiltrated a config one day.

5. No persistent connection logs. Keep loglevel: warning on Cloak. If you're in a sensitive jurisdiction, mount /var/log/cloak on a RAM disk (tmpfs).

Cloak vs alternatives

Pragmatic pick:

• Cloak if you already have WG/SS and want fast camouflage.
• V2Ray + REALITY if you start from scratch, China focus, mobile-first.
• wstunnel if just corporate bypass without sophisticated DPI.

When an obfuscated commercial VPN is simpler

For non-technical users traveling occasionally in Asia or the Middle East, setting up Cloak + WireGuard + cert + DNS is too much. A commercial VPN with built-in obfuscation is more time-effective.

Our cross-sell pick: NordVPN with its "obfuscated servers" (obfuscated OpenVPN, and NordWhisper). Two clicks in the app, no VPS to manage. Good in Iran/Turkey/UAE, OK in China 70% of the time.

The combined approach many of our readers use: Cloak + WireGuard self-host for daily life, NordVPN as backup for risky trips. ~$10/month total cost, robust, and you're never locked out.

Common troubleshooting

Symptom: curl https://your-ip does NOT return Bing but an error or invalid cert. Cloak uses a self-signed cert by default — a strict browser or curl will refuse. Set up a Let's Encrypt cert to fix.

Symptom: Cloak client connects but no traffic flows. The client's ProxyMethod doesn't match any ProxyBook server-side. Verify that "wireguard" is defined in the server's ProxyBook.

Symptom: poor performance, 30 Mbps max. NumConn too low client-side (try 8 instead of 4), or CPU-bound server (check htop). Active Cloudflare proxy can also throttle.

Symptom: intermittent connections in China. The GFW actively probes self-signed certs. Move to a real Let's Encrypt cert, and change the client's ServerName (use a popular whitelisted domain).

Further reading

• Self-host VPN on Contabo: complete WireGuard guide 2026
• V2Ray VMess/VLess: complete setup 2026
• Shadowsocks vs VPN 2026: technical comparison
• wstunnel: TCP/UDP over WebSocket

Technical sources:

• Cloak — official GitHub repo
• Cloak documentation
• GFW Report — live blocking data
• acme.sh — automatic certificate

Published 2026-06-03. Benchmarks run on a Contabo VPS S Nuremberg + residential fiber client in Paris, March–April 2026. Anti-DPI techniques evolve constantly — always cross-check with local sources before critical deployment.

Legal reminder: Cloak is an open-source tool, legal in the EU, US, Canada, and most countries. Anti-censorship usage in China, Iran, Russia, UAE is locally illegal with variable penalties. VPNSmith publishes this guide for educational purposes.