Question about EncryptionMethod for wireguard traffic

[bingzhangdai]

I have already successfully run wireguard with cloak. From the wiki,

You must not leave EncryptionMethod as plain in Cloak client's configuration file because OpenVPN gives out fingerprint. Change it to aes-gcm or chacha20-poly1305

I am wondering if it also holds true for wireguard. Now I leave the EncryptionMethod as plain.

[valerius2k]

The intention of EncryptionMethod is to hide fingerprints of an underlying proxy. WG should have its own fingerprint too. So if you set EncryptionMethod to plain, the fingerprint will be exposed and your ISP could detect and block it. The data stream has no definite fingerprint only if its data looks like a white noise. But AFAIK it's not so with WG. WG is very good detectable and is blocked more often than other VPN protocols.

[bingzhangdai]

@valerius2k Thanks for your clarification. It is truly clear!

[INNKCake]

@bingzhangdai can you share a configuration/guide for Wireguard?

[bingzhangdai]

First, you should set up the wireguard by following the official guide.

Suppose you have exposed your wireguard port 500/udp on the server. Your cloak is also deployed on the same server. You can use the following conf to redirect 500/udp to localhost:500/udp.
on the server

{
    "ProxyBook": {
        "wireguard": [
            "udp",
            "127.0.0.1:500"
        ]
    },
    "BypassUID": [
        "xxx"
    ],
    "RedirAddr": "xxx",
    "PrivateKey": "xxx",
    "AdminUID": "xxx"
}

on the client

{
    "Transport": "direct",
    "ProxyMethod": "wireguard",
    "EncryptionMethod": "chacha20-poly1305",
    "UID": "xxx",
    "PublicKey": "xxx",
    "ServerName": "cn.bing.com",
    "NumConn": 1,
    "BrowserSig": "chrome",
    "StreamTimeout": 300,
    "KeepAlive": 0
}

Then you can run ck-client -c ck-client.json -u -s serverip -l 500 on your machine. Thus redirect the server:500/udp to localhost:500/udp. Hope this helps.