VpnHood Cloak Mode
Cloak Mode is VpnHood's high-stealth transport option that deliberately looks like a normal TCP stream/web server instead of carrying raw IP packets. It's designed for environments with aggressive DPI, active probing, or censorship where typical VPN packet fingerprints get blocked.
- Instead of delivering raw IP packets, Cloak Mode wraps and forwards data as a TCP stream and redirects that stream to the server.
- Functionally, it behaves like a SOCKS-style stream proxy, but it is not a standard SOCKS4/5 implementation - there are no SOCKS fingerprints to detect.
- The client↔server negotiation intentionally matches a standard web server handshake exactly (one send / one reply), so the handshake looks identical to normal HTTPS/web traffic.
- If a connection probe is unauthenticated (no valid token), the server does not expose a VPN endpoint - it rejects the probe in a standard way (returns
401on fake scans). - Because the transport imitates common web servers and returns normal HTTP-like replies to unauthenticated clients, it blends into ordinary traffic patterns.
Note for developers: In the VpnHood source code, Cloak Mode is implemented under the internal class name
TcpProxy. This was renamed in user-facing documentation to "Cloak Mode" to avoid confusion with conventional proxy protocols.
- High undetectability: Extremely hard for censorship/DPI to distinguish from genuine web traffic.
- Resilient to active probing: Fake scans get ordinary server responses rather than testable VPN behavior.
- Mimics a normal web server: Greatly reduces the chance of blocking, throttling, or triggering mitigation.
- Higher server CPU & memory usage: Stream reconstruction, per-connection handling, and token checks are more resource-intensive than raw packet forwarding.
- Latency/throughput: Performance can be lower compared to packet mode (packet mode is lighter and faster).
- Complexity: More moving parts on the server side (stream demuxing, token management, stricter session state).
- Many users do not need this extreme level of stealth, and because it is more expensive to run, Cloak Mode is disabled by default.
- Enable it only when you need maximum evasiveness (e.g., in restrictive networks or countries).
- Networks with aggressive DPI or fingerprint-based blocking.
- Situations that require strong resistance to active probing.
- When you need VPN traffic to be indistinguishable from ordinary web servers.
- If you accept the extra server cost (CPU/memory) and potential throughput trade-offs.
👉 If you're experiencing streaming issues, it's often a good practice to BLock QUIC as well.
In short: Cloak Mode makes VpnHood behave like a plain TCP/web server stream (SOCKS-style behavior without SOCKS fingerprints), uses a single web-standard handshake, rejects unauthenticated probes with ordinary HTTP replies, and trades extra server CPU/memory for strong stealth.
The default is off - turn it on only where needed.