'ck-client -u' crashes with "NumConn": 4

[Klaaktu]

It's an old issue but still happens on latest version (2.1.3).
Tested both OpenVPN (plain text mode) and WireGuard, only "NumConn": 1 works in UDP mode.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x50 pc=0x68bf48]

goroutine 1 [running]:
github.com/cbeuw/Cloak/internal/multiplex.(*switchboard).send.func1(0x0, 0x0, 0xc000186000, 0x33, 0x4268, 0x0, 0x5, 0x4263)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/switchboard.go:65 +0x48
github.com/cbeuw/Cloak/internal/multiplex.(*switchboard).send(0xc000154000, 0xc000186000, 0x33, 0x4268, 0xc000170140, 0x0, 0x0, 0x0)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/switchboard.go:85 +0x193
github.com/cbeuw/Cloak/internal/multiplex.(*Stream).Write(0xc0001700e0, 0xc0000de000, 0x10, 0x2800, 0x0, 0x0, 0x0)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/internal/multiplex/stream.go:110 +0x1c1
main.routeUDP(0xc0000d6000, 0x0, 0x0, 0x0)
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/cmd/ck-client/ck-client.go:127 +0x4ca
main.main()
        C:/Users/cbeuw/Documents/Go/src/github.com/cbeuw/Cloak/cmd/ck-client/ck-client.go:343 +0xb5d

Client config:

{
"Transport": "direct",
"ProxyMethod": "openvpn",
"EncryptionMethod": "aes-gcm",
"UID": "",
"PublicKey": "",
"ServerName": "www.bing.com",
"NumConn": 4,
"BrowserSig": "firefox",
"StreamTimeout": 300
}

Also is it ok to run OpenVPN in plain text mode to avoid double encryption?
Is "StreamTimeout" idle connection timeout? Can I make it super long to make it only close connection when I Ctrl+C the client like what Shadowsocks recently did?

[Klaaktu]

This issue is fixed in master, yay.

Tho OpenVPN seems to be very slow or unable to connect perhaps due to this:

level=info msg="forcefully terminating user" UID="..." reason="no session left"

Edit: nvm, it's my shadowsocks session it was closing.

[Klaaktu]

It's the build from current master (2.1.3 UDP works fine), TCP mode works very well.
Tho TCP/UDP in OpenVPN probably doesn't matter since the connection in the middle is replaced with Cloak's TCP.

[Weeka89]

@Klaaktu I'm trying to use wireguard through cloak do u mind sharing your steps/config on how to get it done.

[Klaaktu]

@Weeka89 I'm not using WireGuard atm so I don't remember everything, tho the steps are very similar to OpenVPN:
"Endpoint" is ck-client's listening address. In my testing ck-client must be on another PC because of this error in WireGuard.
Failed to send data packet write udp4 0.0.0.0:53457->127.0.0.1:1984: wsasendto: The requested address is not valid in its context.
Uncheck "kill-switch" in WireGuard Windows client's config settings, so it can send data to ck-client. It's not necessary unless they are on the same machine.
UDP doesn't seem to be working in 2.2.0.
Enable forwarding in server.

[Klaaktu]

WireGuard, server

[Interface]
Address = 10.0.0.1/24, ****:000a/127
PrivateKey = ****
ListenPort = ****

PostUp = sysctl net.ipv6.conf.eth0.proxy_ndp=1; ip -6 neigh add proxy ****:000b dev eth0

[Peer]
PublicKey = ****
AllowedIPs = 10.0.0.2/32, ****:000b/128

****:000a & b are unoccupied IPv6 addresses from the server, prefix length 127 because DigitalOcean gives 16 IPs instead of /64 prefix. And their IPv6 is also non-routed thus the ndp-proxy in PostUp. net.ipv6.conf.eth0.proxy_ndp=1 doesn't work if put in sysctl.conf unless it's all interface, because Ubuntu... so it's here.
WireGuard doesn't seem to have the option to listen on localhost only for incoming traffic.
IPv4 NAT is done in nftables.

WireGuard, client

[Interface]
PrivateKey = ****
Address = 10.0.0.2/24, ****:000b/127
DNS = 192.168.1.2

[Peer]
PublicKey = ****
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = 192.168.1.2:1984

192.168.1.2 is a second PC running ck-client and dnscrypt-proxy.
Writing "AllowedIPs" like that unchecks the "kill-switch" automatically iirc.

nftables

table inet filter {
	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		iifname "wg-server" accept
		iifname "tun0" accept
		oifname "wg-server" accept
		oifname "tun0" accept
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth0" ip saddr 10.0.0.0/24 masquerade
		oifname "eth0" ip saddr 10.8.0.0/24 masquerade
	}
}

sysctl.conf

# Accept IPv6 advertisements when forwarding is enabled
net.ipv6.conf.all.accept_ra = 2

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

[Klaaktu]

Cloak, server

{
  "ProxyBook": {
    "shadowsocks": [
      "tcp",
      "[::1]:8388"
    ],
    "openvpn": [
      "tcp",
      "[::1]:1194"
    ],
    "wireguard": [
      "udp",
      "[::1]:****"
    ]
  },
  "BindAddr": [
    ":443",
    ":80"
  ],
  "BypassUID": [
  ],
  "RedirAddr": "****",
  "PrivateKey": "****",
  "AdminUID": "****",
  "DatabasePath": "/opt/Cloak/userinfo.db",
  "StreamTimeout": 300
}

Cloak, client

{
  "Transport": "direct",
  "ProxyMethod": "wireguard",
  "EncryptionMethod": "aes-gcm",
  "UID": "****",
  "PublicKey": "****",
  "ServerName": "****",
  "NumConn": 4,
  "BrowserSig": "chrome",
  "StreamTimeout": 300,
  "UDP": true
}

Change to "NumConn": 1 and use -u in command line instead of "UDP": true if using 2.1.3 .
WireGuard also seem to have fingerprint, so EncryptionMethod is not plain. (Vanilla WireGuard does get blocked by GFW fairly swiftly.)

[gokaybiz]

@Klaaktu Hey, how can u handle
route SERVERIP 255.255.255.255 net_gateway
route 192.168.0.0 255.255.0.0 net_gateway
section in wireguard client?
I got failed to establish new connection to remote: dial tcp *****... error.

EDIT: When i remove UDP: true field from config, I got "error reading first packet: read error after connection is established"

[Klaaktu]

@gokaybiz
I used WireGuard Windows client which automatically sets up routing (In Linux there is wg-quick which sets ip rules).
I think SERVERIP as Endpoint and exclude 192.168.0.0/16 in AllowedIPs should suffice.
(Though if using Cloak, SERVERIP shouldn't be the public address of the server but ck-client listening address, and ck-client can't be on the same PC as WG)

[gokaybiz]

@gokaybiz I used WireGuard Windows client which automatically sets up routing (In Linux there is wg-quick which sets ip rules). I think SERVERIP as Endpoint and exclude 192.168.0.0/16 in AllowedIPs should suffice. (Though if using Cloak, SERVERIP shouldn't be the public address of the server but ck-client listening address, and ck-client can't be on the same PC as WG)

Why we can't use on same pc?
I tried to exclude my server's ip.
But Wireguard couldn't do handshake.

WHY?

Here is some log from ck-client:

INFO[0000] Starting standalone mode
INFO[2021-10-02T18:16:39Z] Listening on UDP 127.0.0.1:1984 for wg client
INFO[2021-10-02T18:16:41Z] Attempting to start a new session
TRACE[2021-10-02T18:16:41Z] client hello sent successfully
TRACE[2021-10-02T18:16:42Z] waiting for ServerHello
TRACE[2021-10-02T18:16:42Z] client hello sent successfully
TRACE[2021-10-02T18:16:42Z] waiting for ServerHello
DEBUG[2021-10-02T18:16:42Z] All underlying connections established
DEBUG[2021-10-02T18:16:42Z] Connection is unordered
INFO[2021-10-02T18:16:42Z] Session 123123123 established
TRACE[2021-10-02T18:16:42Z] stream 1 of session 123123123 opened
TRACE[2021-10-02T18:16:42Z] 544 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 656 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 768 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 92 read from stream 1 with err <nil>
TRACE[2021-10-02T18:16:42Z] 208 read from stream 1 with err <nil>

@cbeuw ?

[Klaaktu]

Does WireGuard say...?

Failed to send data packet write udp4 0.0.0.0:53457->127.0.0.1:1984: wsasendto: The requested address is not valid in its context.

I vaguely remember the explanation "localhost interface is not valid" somewhere. However the answer I get from search now is to set the Endpoint to IP address of the machine (private/public but not 127.0.0.1) due to "strong host model".
I'm currently using shadowsocks (hard to connect atm...) tproxy/tun to avoid double tunnel, so I don't have Wireguard set up to test it.