diff --git a/group_vars/all/shadowsocks-libev.yml b/group_vars/all/shadowsocks-libev.yml
index ead6cb2..1037fce 100644
--- a/group_vars/all/shadowsocks-libev.yml
+++ b/group_vars/all/shadowsocks-libev.yml
@@ -10,8 +10,19 @@ ss_config:
 
   encrypt_method: chacha20-ietf-poly1305
   plugin:
-    v2ray:
-      opts: server
+    # v2ray:
+    #   opts: server
+    cloak:
+      # optional
+      ProxyBook:
+        wireguard:
+        - udp
+        - 127.0.0.1:500
+      BypassUID:
+        - ck-server -uid
+      RedirAddr: www.bing.com
+      PrivateKey: ck-server -key
+      PublicKey: ck-server -key
   timeout: 300
   local_port: 1080
-  fast_open: true
\ No newline at end of file
+  fast_open: true
diff --git a/roles/shadowsocks-libev/defaults/main.yml b/roles/shadowsocks-libev/defaults/main.yml
index 920c50e..c4286ee 100644
--- a/roles/shadowsocks-libev/defaults/main.yml
+++ b/roles/shadowsocks-libev/defaults/main.yml
@@ -2,5 +2,10 @@ ss_github:
   user: shadowsocks
   v2ray_repo: v2ray-plugin
 
+cloak_github:
+  user: cbeuw
+  repo: Cloak
+
 ss_plugin_release:
   v2ray: "https://github.com/{{ ss_github.user }}/{{ ss_github.v2ray_repo }}/releases/download/v{{ release_version }}/v2ray-plugin-linux-amd64-v{{ release_version }}.tar.gz"
+  cloak: "https://github.com/{{ cloak_github.user }}/{{ cloak_github.repo }}/releases/download/v{{ release_version }}/ck-server-linux-amd64-v{{ release_version }}"
diff --git a/roles/shadowsocks-libev/tasks/main.yml b/roles/shadowsocks-libev/tasks/main.yml
index b20daac..a69cb96 100755
--- a/roles/shadowsocks-libev/tasks/main.yml
+++ b/roles/shadowsocks-libev/tasks/main.yml
@@ -27,6 +27,25 @@
           command: setcap 'CAP_NET_BIND_SERVICE=+eip' /etc/shadowsocks-libev/v2ray-plugin_linux_amd64
           when: ss_config.server_port < 1024
       when: ss_config.plugin.v2ray is defined
+    - name: install cloak
+      block:
+        - name: detect latest cloak version
+          import_role:
+            name: utils
+            tasks_from: github-release
+          vars:
+            user: "{{ cloak_github.user }}"
+            repo: "{{ cloak_github.repo }}"
+        - name: download cloak-server {{ release_version }}
+          get_url:
+            url: "{{ ss_plugin_release.cloak }}"
+            dest: "/etc/shadowsocks-libev/ck-server"
+            mode: 755
+          notify: restart shadowsocks-libev
+        - name: allow a non-root process to bind to a privileged port
+          command: setcap 'CAP_NET_BIND_SERVICE=+eip' /etc/shadowsocks-libev/ck-server
+          when: ss_config.server_port < 1024
+      when: ss_config.plugin.cloak is defined
   when: ss_config.plugin is defined
 
 - name: optimize shadowsocks
@@ -65,22 +84,43 @@
           value: '4096'
         # TCP receive buffer
         - name: net.ipv4.tcp_rmem
-          value: '4096 131072 67108864'
+          value: '4096 87380 67108864'
+        # # default read buffer
+        # - name: net.core.rmem_default
+        #   value: '65536'
+        # max read buffer
+        - name: net.core.rmem_max
+          value: '67108864'
         # TCP write buffer
         - name: net.ipv4.tcp_wmem
           value: '4096 65536 67108864'
+        # # default write buffer
+        # - name: net.core.wmem_default
+        #   value: '65536'
+        # max write buffer
+        - name: net.core.wmem_max
+          value: '67108864'
         # max backlog
         - name: net.core.somaxconn
           value: '4096'
         # max processor input queue
         - name: net.core.netdev_max_backlog
           value: '4096'
-        # max read buffer
-        - name: net.core.rmem_max
-          value: '67108864'
-        # max write buffer
-        - name: net.core.wmem_max
-          value: '67108864'
+        # max open files
+        - name: fs.file-max
+          value: '51200'
+        # resist SYN flood attacks
+        - name: net.ipv4.tcp_syncookies
+          value: '1'
+        # # turn off fast timewait sockets recycling
+        # - name: net.ipv4.tcp_tw_recycle
+        #   value: '0'
+        # outbound port range
+        # - name: net.ipv4.ip_local_port_range
+        #   value: '10000 65000'
+        # # max timewait sockets held by system simultaneously
+        # - name: net.ipv4.tcp_max_tw_buckets
+        #   value: '5000'
 
 - name: configure and start shadowsocks-libev
   block:
@@ -90,6 +130,16 @@
         dest: /etc/shadowsocks-libev/config.json
         mode: '644'
       notify: restart shadowsocks-libev
+    - name: update ss_config.plugin.cloak
+      set_fact:
+        cloak_conf: "{{ ss_config.plugin.cloak | combine( { 'location': ansible_env.HOME + '/userinfo.db' } ) }}"
+      when: ss_config.plugin is defined and ss_config.plugin.cloak is defined
+    - name: edit /etc/shadowsocks-libev/ckserver.json
+      template:
+        src: ckserver.json.j2
+        dest: /etc/shadowsocks-libev/ckserver.json
+        mode: '644'
+      when: ss_config.plugin is defined and ss_config.plugin.cloak is defined
     - name: turn on TCP Fast Open on server side
       sysctl:
         name: net.ipv4.tcp_fastopen
@@ -147,4 +197,4 @@
   delegate_to: localhost
   delegate_facts: True
   ignore_errors: yes
-  run_once: true
\ No newline at end of file
+  run_once: true
diff --git a/roles/shadowsocks-libev/templates/ckserver.json.j2 b/roles/shadowsocks-libev/templates/ckserver.json.j2
new file mode 100755
index 0000000..0abbae4
--- /dev/null
+++ b/roles/shadowsocks-libev/templates/ckserver.json.j2
@@ -0,0 +1 @@
+{{ cloak_conf | to_nice_json(indent=4) }}
diff --git a/roles/shadowsocks-libev/templates/config.json.j2 b/roles/shadowsocks-libev/templates/config.json.j2
index 78f15ed..52f0161 100755
--- a/roles/shadowsocks-libev/templates/config.json.j2
+++ b/roles/shadowsocks-libev/templates/config.json.j2
@@ -4,7 +4,7 @@
     "password": "{{ ss_config.password }}",
     "timeout": {{ ss_config.timeout }},
     "method": "{{ ss_config.encrypt_method }}",
-    "nameserver": "8.8.8.8",
+    "nameserver": "{{ ansible_dns.nameservers[0] }}",
     "mode": "tcp_and_udp",
     "fast_open": {{ ss_config.fast_open | default(false) | lower }}
-}
\ No newline at end of file
+}
diff --git a/roles/shadowsocks-libev/templates/config.local.json.j2 b/roles/shadowsocks-libev/templates/config.local.json.j2
index 0c4471f..ca1c2f9 100755
--- a/roles/shadowsocks-libev/templates/config.local.json.j2
+++ b/roles/shadowsocks-libev/templates/config.local.json.j2
@@ -6,5 +6,7 @@
     "password": "{{ ss_config.password }}",
     "timeout": {{ ss_config.timeout }},
     "method": "{{ ss_config.encrypt_method }}",
-    "fast_open": {{ ss_config.fast_open | default(false) | lower }}
-}
\ No newline at end of file
+    "fast_open": {{ ss_config.fast_open | default(false) | lower }},
+    "reuse_port": true,
+    "no_delay": true,
+}
diff --git a/roles/shadowsocks-libev/templates/shadowsocks-libev.j2 b/roles/shadowsocks-libev/templates/shadowsocks-libev.j2
index aeda0c9..b2ceb6f 100644
--- a/roles/shadowsocks-libev/templates/shadowsocks-libev.j2
+++ b/roles/shadowsocks-libev/templates/shadowsocks-libev.j2
@@ -8,7 +8,7 @@ CONFFILE="/etc/shadowsocks-libev/config.json"
 DAEMON_ARGS=
 
 # User and group to run the server as
-USER=nobody
+USER={{ ansible_env.USER }}
 GROUP=nogroup
 
 # Number of maximum file descriptors
@@ -20,4 +20,8 @@ MAXFD=32768
 PLUGIN="/etc/shadowsocks-libev/v2ray-plugin_linux_amd64"
 PLUGINOPTS="{{ ss_config.plugin.v2ray.opts }}"
 {% endif %}
-{% endif %}
\ No newline at end of file
+{% if ss_config.plugin.cloak is defined %}
+PLUGIN="/etc/shadowsocks-libev/ck-server"
+PLUGINOPTS="/etc/shadowsocks-libev/ckserver.json"
+{% endif %}
+{% endif %}