I live in a country where ISPs actively block WireGuard through DPI. Regular WireGuard gets fingerprinted and blocked within minutes. AmneziaWG (https://github.com/amnezia-vpn/amneziawg-go) is a WireGuard fork that adds protocol-level obfuscation — randomized packet headers, junk data, QUIC mimicry - making it harder for DPI to detect.
Setting up AmneziaWG manually on a server is painful: build the kernel module via DKMS, generate obfuscation parameters, write configs, set up firewall rules... I kept doing this on fresh VPS installs and finally wrote a script to automate it.
The script does the full server setup - kernel module, obfuscation params, firewall, the works. It runs as a state machine so it survives the two reboots you need for DKMS. After that you manage clients with a separate script that spits out .conf files, QR codes, and vpn:// URIs for the Amnezia app.
Pure Bash, runs on Ubuntu 24.04/25.10 and Debian 12/13. MIT licensed.
Taking into account the DKMS + reboot + config setup - the automation like this saves time and headaches.
How stable the obfuscation has been over time — do ISPs eventually catch up?
Been running 2.0 on Russian DPI for a few months - works fine. The old version (1.x) randomized packet headers, but ISPs figured out that random bytes are themselves a fingerprint and started throttling (~3 Mbit on some mobile ISPs here).
2.0 is smarter - packets mimic actual QUIC or DNS traffic instead of looking random. ISPs can't easily filter that without breaking real QUIC, which is half the internet at this point.
My first thought was be that randomized traffic would be the solution, but it makes sense that it stands out more than traffic that blends in by mimicking real stuff.
Fingers crossed they won't figure it out quickly.
I'll ask my friends if they are up to trying it, for now they are just using different VPNs.
I live in a country where ISPs actively block WireGuard through DPI. Regular WireGuard gets fingerprinted and blocked within minutes. AmneziaWG (https://github.com/amnezia-vpn/amneziawg-go) is a WireGuard fork that adds protocol-level obfuscation — randomized packet headers, junk data, QUIC mimicry - making it harder for DPI to detect.
Setting up AmneziaWG manually on a server is painful: build the kernel module via DKMS, generate obfuscation parameters, write configs, set up firewall rules... I kept doing this on fresh VPS installs and finally wrote a script to automate it.
The script does the full server setup - kernel module, obfuscation params, firewall, the works. It runs as a state machine so it survives the two reboots you need for DKMS. After that you manage clients with a separate script that spits out .conf files, QR codes, and vpn:// URIs for the Amnezia app.
Pure Bash, runs on Ubuntu 24.04/25.10 and Debian 12/13. MIT licensed.
This HN thread about Russia blocking WireGuard (https://news.ycombinator.com/item?id=39067213) was one of the things that motivated me.
Taking into account the DKMS + reboot + config setup - the automation like this saves time and headaches. How stable the obfuscation has been over time — do ISPs eventually catch up?
Been running 2.0 on Russian DPI for a few months - works fine. The old version (1.x) randomized packet headers, but ISPs figured out that random bytes are themselves a fingerprint and started throttling (~3 Mbit on some mobile ISPs here). 2.0 is smarter - packets mimic actual QUIC or DNS traffic instead of looking random. ISPs can't easily filter that without breaking real QUIC, which is half the internet at this point.
My first thought was be that randomized traffic would be the solution, but it makes sense that it stands out more than traffic that blends in by mimicking real stuff. Fingers crossed they won't figure it out quickly. I'll ask my friends if they are up to trying it, for now they are just using different VPNs.