AmneziaWG VPN

Keywords

Self-Deploying AmneziaWG VPN Server — Complete Guide

AmneziaWG is a protocol designed to solve a specific problem: how to achieve WireGuard speeds when the networks you connect to actively try to block it? It is a fork of WireGuard created by the Amnezia VPN team, and it does what the original does not — it randomizes the transport layer so that deep packet inspection systems cannot identify it. The encryption remains exactly the same. Only the appearance of the packets in the network changes.

The broad landscape of VPN obfuscation has been an arms race over the years. Tools like Shadowsocks, VLESS+Reality, and OpenVPN with obfs4 attempt to disguise traffic in various ways — some as proxies, some as full tunnels, some with high performance costs. AmneziaWG occupies a specific niche: it is a full VPN tunnel with WireGuard-level performance and built-in DPI protection, all in one package. And since it is open-source, you can deploy it on your own server.

But here’s the problem that makes this necessary. You set up WireGuard. It works perfectly — fast, clean, reliable. Then one fine day, it stops. No error message, no timeout, no connection refusal. Packets just disappear. This is what DPI blocking looks like in practice: your tunnel is still operational, your configuration is still correct, and nothing is passing through. This is the reality in Russia (where WireGuard has about a 12% success rate), Iran (98% packet loss), and a growing list of countries including China, Egypt, UAE, Turkey, Belarus, Uzbekistan, Kazakhstan, Myanmar, and Pakistan.

Traditional alternatives do not fully solve this problem. Shadowsocks is a proxy, not a full VPN tunnel — your DNS and non-TCP traffic will still leak. OpenVPN with obfs4 works but has about 25% performance overhead. VLESS+Reality offers strong obfuscation but is proxy-based and complex to set up. AmneziaWG fills the gap: it is a full VPN tunnel with WireGuard-level performance and built-in DPI protection.

This guide will walk you through deploying a fully functional AmneziaWG 2.0 server on any KVM VPS in less than 15 minutes using a single community installer script. By the end, you will have a working VPN tunnel that you can connect to from any device. The steps are provider-agnostic — they work on any VPS with SSH access and root privileges, whether from AlexHost, AvaHost, or another. This is written for users with an intermediate level of technical skill who are comfortable working with SSH and basic Linux commands.

One clarification before we begin: AmneziaWG is a protocol. AmneziaVPN is a client application that connects to it. They are related but distinct — like TLS for your browser. You will need an application to connect, but the protocol is what runs on your server.

But before we deploy anything, you need to understand what makes AmneziaWG different from WireGuard — and why that difference matters when DPI is watching you.

What is AmneziaWG? (Mental Model)

WireGuard is elegant in its design. It has a small codebase, uses modern cryptography, and runs in the Linux kernel for nearly native performance. But this elegance has a visibility problem: every WireGuard packet carries the same fixed header structure, the same fixed packet sizes, and the same handshake pattern. For a deep packet inspection system, the WireGuard tunnel has a signature as clear as a barcode. Once a DPI device learns this signature, it can drop every packet without blocking the port or closing the connection.

Think of it this way. WireGuard is like a courier who always wears the same uniform — fast, reliable, and efficient. But anyone watching the road learns to recognize that uniform and can stop the courier at any checkpoint. AmneziaWG is the same courier carrying the same packages, but he changes his uniform at every checkpoint. The same person, the same cargo, a completely different appearance.

Version history matters. AmneziaWG 1.x introduced custom headers that differed from WireGuard’s fixed values — this helped for a time, but DPI systems adapted. AmneziaWG 2.0, released in late 2025, randomizes everything: headers change from packet to packet, padding varies from message to message, and substitute packets mimic other protocols before the actual handshake begins. There is no universal signature for detection because each AmneziaWG 2.0 server generates its own unique set of parameters. Each server speaks its own dialect.

When all obfuscation parameters are set to zero, AmneziaWG behaves identically to WireGuard — it is fully backward compatible at the protocol level. But with active parameters (which is the default setting), it becomes what WireGuard cannot be: a fast VPN tunnel that DPI systems struggle to identify.

So how exactly does AmneziaWG encrypt its traffic? Let’s look at the four levels of obfuscation that make DPI blind — and why they add almost no speed costs.

How AmneziaWG Hides from DPI (Without Speed Loss)

AmneziaWG 2.0 uses four levels of obfuscation that work together. Each targets a different way that DPI systems identify VPN traffic. Together, they make the traffic of each server unique.

Dynamic Headers (H1–H4)

WireGuard uses fixed 32-bit message type identifiers:

• 1 — for initiation
• 2 — for response
• 3 — for response with cookie
• 4 — for data

A DPI device scanning traffic simply looks for these values. AmneziaWG 2.0 replaces each fixed value with a random number chosen from a specified range. The initiation header (H1) can be any value from 234567 to 345678. The response header (H2) can be from 3456789 to 4567890. These ranges never overlap — the protocol still needs to distinguish packet types internally — but for an outside observer, there is no single header value to latch onto. Each packet looks different from the previous one.

Random Padding (S1–S4)

The initiation packet of WireGuard is always exactly 148 bytes. Its response is always exactly 92 bytes. These fixed sizes are another fingerprint. AmneziaWG adds random padding to each packet type: initiation becomes 148+S1 bytes, response becomes 92+S2 bytes, response with cookie becomes 64+S3 bytes, and each data packet receives S4 bytes of padding. S3 and S4 are new in version 2.0 — and S4 is the most significant addition, as it affects every single data packet, making session-level traffic analysis much more difficult.

There is one critical constraint: S1+56 must not equal S2. Since the original size difference between initiation and response is 56 bytes (148−92), if the padding values randomly compensate for exactly that difference, two padded packets will end up the same size — recreating the fingerprint that AmneziaWG is trying to eliminate. The installer’s parameter generator automatically ensures this constraint.

Custom Protocol Signature (I1–I5)

Before the actual handshake begins, the AmneziaWG client sends up to five substitute packets that mimic other protocols — QUIC, DNS, SIP, or custom byte patterns. The server completely ignores these packets. It simply waits for the real handshake.

• Simple configuration: Sends 128 random bytes <r 128>.
• Complex configuration: Sends bytes that look like initiating a QUIC connection (<b 0xc000000001><r 64><t>), with a Unix timestamp.

For a DPI system observing the session start, the first packets look like regular web traffic.

Junk Packets (Jc, Jmin, Jmax)

After the substitute packets, the client sends a customizable number of junk packets — pure noise with random sizes from Jmin to Jmax. These packets blur the timing and size profile of the session start, making it harder for DPI systems to identify where the real handshake begins.

Speed Question

There is a number circulating on the internet: AmneziaWG has 65% overhead. This figure is real, but it refers to the user-space Go implementation — not the kernel module. The community installer used in this guide builds a DKMS kernel module, and the kernel module adds less than 12% overhead overall — closer to 3% in real tests. On an uncensored network, you would see about 95 Mbps through WireGuard and 92 Mbps through AmneziaWG 2.0. On a censored network, the comparison is 92 Mbps versus zero.

The following table summarizes the parameters that the installer generates automatically:

You do not need to set any of these parameters manually. The installer generates cryptographically random values that meet the constraints every time.

Now that you know how obfuscation works, let’s see how AmneziaWG compares to alternatives you might be considering.

AmneziaWG vs Alternatives — Quick Decision-Making Guide

The decision-making rules are simple:

• No DPI in your country? Use regular WireGuard. It’s easier and has a broader ecosystem.
• Need maximum DPI protection and don’t mind proxies? VLESS+Reality is the strongest option for obfuscation, but it’s not a full tunnel.
• Want both speed and a full tunnel with obfuscation? AmneziaWG 2.0 is the only option that delivers WireGuard-level performance with real DPI protection in a full VPN tunnel.
• Already using OpenVPN+obfs4 and it’s still working? No urgent need to switch, but AmneziaWG will be noticeably faster.

This article focuses on AmneziaWG because it is the only protocol that provides you with a full tunnel, kernel-level performance, and built-in obfuscation — all set up with a single script.

If AmneziaWG is the right choice for your situation, here’s what you need before starting the deployment.

What You Need Before You Start

Before running the installer, ensure that your environment meets these requirements:

⚠️ Warning: LXC containers are not supported. If your VPS uses LXC virtualization, the DKMS kernel module build will fail. You must use KVM or bare-metal. Check with your provider if you are unsure.

⚠️ Warning: If your SSH is running on a non-standard port (anything other than 22), you must open it in UFW before running the installer:
sudo ufw allow YOUR_PORT/tcp
Replace YOUR_PORT with your actual SSH port. The installer includes UFW with a default policy — if your SSH port is not allowed, you will be immediately blocked.

💡 Tip: Wait 5–10 minutes after creating your VPS before running the installer. Cloud-init and background initialization processes may conflict with the calls apt-get that the installer makes.

With your VPS ready and prerequisites confirmed, let’s deploy AmneziaWG 2.0 using the community installer script — the fastest and most transparent method.

Method 1 — Deploy with the CLI Installer (Recommended)

This is the primary installation method. You’ll download a version-pinned installer script, run it as root, walk through eight automated steps (with two expected reboots), and end up with a fully configured AmneziaWG 2.0 server. The installer handles everything: package installation, kernel module compilation, firewall configuration, parameter generation, and service startup.

6.1 — Connect to Your VPS via SSH

Open your terminal and connect to your server:
ssh root@<SERVER_IP>
Replace <SERVER_IP> with your VPS’s actual public IP address. If your provider gave you a non-root user, log in with that user and then escalate:
ssh <username>@<SERVER_IP>
sudo -i
You should see the Ubuntu 24.04 welcome banner followed by a root prompt:
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-xx-generic x86_64)
...
root@vps:~#

6.2 — Download and Run the Installer

Download the installer script, make it executable, and run it:

wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/v5.8.1/install_amneziawg_en.sh
chmod +x install_amneziawg_en.sh
sudo bash ./install_amneziawg_en.sh

The URL is version-pinned to v5.8.1 — the latest release as of April 2026. This is supply-chain safety: it ensures the downloaded script matches the tested version, even if the repository has been updated since.

The installer begins by checking your system:

============================================
AmneziaWG 2.0 Installer v5.8.1
============================================
Checking system requirements...
OS: Ubuntu 24.04 LTS — OK
Virtualization: KVM — OK
RAM: 1024 MB — OK
Disk: 25 GB free — OK

If any check fails, the installer stops and tells you why. Fix the issue and re-run the command.

6.3 — Walk Through the Installer Prompts

The installer is an eight-step state machine with resume-after-reboot support. It saves its progress to /root/awg/setup_state, so if the server reboots, you just run the same command again and it picks up where it left off.

Step 0: Initialization — The installer checks your OS, virtualization type, RAM, and disk space. It creates the /root/awg/ working directory and sets up a lock file to prevent parallel runs.

Step 1: System Update & Package Installation — The installer runs apt-get update && apt-get upgrade -y, then installs AmneziaWG, DKMS, Linux headers, UFW, Fail2Ban, QR code generation tools, and other dependencies.

📝 Note: The installer also removes several background services that consume resources on minimal VPS instances: snapd, modemmanager, networkd-dispatcher, unattended-upgrades, packagekit, lxd-agent-loader, and udisks2. This is intentional and safe.

When Step 1 completes, the installer requests a reboot:

Reboot required. Reboot now? [y/n]:

Type y and press Enter. After the server comes back up, SSH in again and re-run the same command:

sudo bash ./install_amneziawg_en.sh

The script reads its saved state and continues to Step 2 without re-asking any prompts.

Step 2: DKMS Kernel Module Build — The installer compiles the AmneziaWG kernel module against your current kernel and registers it with DKMS for automatic rebuild on future kernel updates:

Step 2: Building AmneziaWG kernel module via DKMS...
Creating symlink /var/lib/dkms/amneziawg/2.0/source -> /usr/src/amneziawg-2.0
DKMS: add completed.
Kernel preparation completed.
Building module:
make -C /lib/modules/6.8.0-xx-generic/build M=/var/lib/dkms/amneziawg/2.0/build modules
DKMS: build completed.
DKMS: install completed.

A second reboot is requested. Type y and press Enter.

📝 Note: Two reboots during installation are normal and expected. The first loads new kernel headers, the second activates the newly built kernel module. The script saves state between reboots — nothing is lost.

After the second reboot, SSH back in and run the installer one more time:

sudo bash ./install_amneziawg_en.sh

Step 3: Post-Reboot Module Verification — The script verifies the kernel module is loaded (lsmod | grep amneziawg). If the DKMS build failed for any reason, it falls back to the userspace Go implementation with a warning about the higher overhead.

Step 4: Firewall Setup — UFW is enabled with a default-deny incoming policy. The installer adds an SSH rate-limiting rule on port 22, opens your VPN port for UDP traffic, and configures routing rules for the awg0 interface.

Step 5: Download Management Scripts — The client management scripts (manage_amneziawg_en.sh and awg_common_en.sh) are downloaded to /root/awg/ with owner-only permissions (700). These are also version-pinned to v5.8.1.

Step 6: Interactive Configuration — The installer now asks four questions:

• UDP port (default: 39743, range 1024–65535). The default is a random high port — keep it unless your ISP is known to block high UDP ports.
• Tunnel subnet (default: 10.9.9.1/24). This is your internal VPN network. The server gets .1, clients get .2 through .254, supporting up to 253 clients.
• Disable IPv6 (default: Y). Recommended — disabling IPv6 prevents traffic from leaking outside the tunnel on IPv6 routes.
• Routing mode: Choose 1 for all traffic, 2 for Amnezia List + DNS (recommended), or 3 for custom networks. Mode 2 routes only blocked public IP ranges and DNS through the VPN, keeping your local network access fast and direct.

💡 Tip: The MTU is set to 1280 by default. This is the minimum IPv6 MTU and is critical for mobile and cellular networks. iOS is strict about Path MTU Discovery, and cellular networks often have effective MTU below WireGuard’s default of 1420. Leave this at 1280.

Step 7: Service Start — The installer generates the server configuration at /etc/amnezia/amneziawg/awg0.conf, creates two default client configs (my_phone and my_laptop) at /root/awg/, generates QR codes, and starts the awg-quick@awg0 systemd service.

Step 8: Completion — You’ll see the success message:

============================================
AmneziaWG 2.0 installation and configuration completed SUCCESSFULLY!
============================================

The installer generates all AmneziaWG 2.0 obfuscation parameters automatically. You don’t need to touch them. Each server gets a unique set of values — there’s no universal fingerprint for DPI systems to detect.

6.4 — Managing Clients After Installation

The management script at /root/awg/manage_amneziawg.sh handles all client lifecycle operations. Here are the essential commands:

Add a new client:

sudo bash /root/awg/manage_amneziawg.sh add my_desktop

This generates a .conf file, QR code, and .vpnuri file for the new client. The server config is hot-reloaded — no service restart needed.

Add a temporary auto-expiring client:

sudo bash /root/awg/manage_amneziawg.sh add guest --expires=7d

A cron job checks every five minutes and automatically removes the client when it expires. The config, keys, and server entry are all cleaned up.

List all clients:

sudo bash /root/awg/manage_amneziawg.sh list

Clients:
  my_phone     (10.9.9.2/32)
  my_laptop    (10.9.9.3/32)
  my_desktop   (10.9.9.4/32)
  guest        (10.9.9.5/32) [expires in 6d 23h]

Add the -v flag for additional details including public keys and creation dates.

Remove a client:

sudo bash /root/awg/manage_amneziawg.sh remove guest

Check full server status:

sudo bash /root/awg/manage_amneziawg.sh check

This shows the service state, open port, all AWG 2.0 parameters, kernel module status, UFW status, and Fail2Ban status in one view.

View traffic statistics per client:

sudo bash /root/awg/manage_amneziawg.sh stats

Client          Received        Sent            Latest handshake
───────────────────────────────────────────────────────────────────
my_phone        1.24 GiB        356.7 MiB       2 minutes ago
my_laptop       892.3 MiB       128.4 MiB       15 seconds ago
my_desktop      0 B             0 B             (none)

Create a backup:

sudo bash /root/awg/manage_amneziawg.sh backup

This creates a compressed archive at /root/awg/backups/ containing your server config, client configs, keys, and expiry data.

📝 Note: The add and remove commands use awg syncconf for hot-reload. The server config updates instantly without restarting the service. Only use restart when changing server-side parameters like the port or MTU.

6.5 — Verify the Server Is Running

Run through these checks to confirm everything is operational:

Check the systemd service:

sudo systemctl status awg-quick@awg0

● awg-quick@awg0.service - AmneziaWG Quick via awg-quick(8) for awg0
     Loaded: loaded (/lib/systemd/system/awg-quick@.service; enabled)
     Active: active (exited) since Thu 2026-04-09 14:32:01 UTC

Verify AmneziaWG status and parameters:

sudo awg show awg0

Verify the firewall:

sudo ufw status verbose

Status: active
Default: deny (incoming), allow (outgoing)
22/tcp                     LIMIT IN    Anywhere
39743/udp                  ALLOW IN    Anywhere

Verify Fail2Ban:

sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  `- Total failed: 0
`- Actions
   |- Currently banned: 0
   `- Banned IP list:

Verify the DKMS kernel module:

dkms status

amneziawg/2.0, 6.8.0-xx-generic, x86_64: installed

If all five checks pass, your AmneziaWG 2.0 server is running and ready to accept connections.

Your server is running and verified. If you prefer a GUI-driven approach instead of the terminal, here’s the alternative method using the AmneziaVPN app.

Method 2 — Deploy with the AmneziaVPN App (Alternative)

The AmneziaVPN desktop application can auto-install AmneziaWG on your server via SSH. It uses the same underlying installer script as the CLI method, but wraps everything in a guided interface. This is ideal if you want a hands-off installation experience.

1. Download AmneziaVPN from amnezia.org/en/downloads. It’s available for Windows, macOS, Linux, Android, and iOS.
2. Open the app and click the ➕ (plus icon) or Get Started.
3. Select “Self-hosted VPN” from the options presented.
4. Enter your server credentials:
   • Server IP address (and port if SSH isn’t on 22, e.g., 203.0.113.10:2221)
   • SSH username (e.g., root)
   • Password or SSH private key
5. Choose the installation type:
   • Automatic — installs only AmneziaWG (recommended)
   • Manual — choose a specific protocol from the list
6. Click “Install” — the app connects to your server via SSH and runs the installation automatically. You’ll see a progress indicator.
7. After installation, the app creates a ready-to-use VPN connection profile.

Post-installation notes:

• The app installs AmneziaWG with a random port by default. Some ISPs block UDP on high ports. The app recommends changing to a port below 9999 (such as 585 or 1234). To change it: click the gear icon next to the connection → Management tab → change the port number.
• If your server already has Amnezia software installed, click “Skip setup” during connection creation, then use “Check the server for previously installed Amnezia services” in the Management tab.

Here’s how the two methods compare:

manage_amneziawg.sh

Whether you used the CLI or the app, your server is ready. Now let’s connect your first device.

Connecting Your First Client

After installation, you have three ways to import the client configuration into the Amnezia VPN app. Pick the one that matched your device.

Method A: QR Code (Mobile)

The installer generated a QR code at /root/awg/my_phone.png. Download it to your computer:

scp root@<SERVER_IP>:/root/awg/my_phone.png .

Open the PNG file on your screen. On your phone, open the Amnezia VPN app, tap “Add VPN” → “Scan QR code”, and point your camera at the QR code on your screen. The connection imports automatically.

Method B: vpn:// URI (Amnezia Client)

Display the compressed URI on your server:

cat /root/awg/my_phone.vpnuri

Copy the entire vpn://… string and send it to yourself — via Telegram, email, or a notes app. On your phone, open the Amnezia VPN app, tap “Add VPN” → “Paste from clipboard”. The configuration imports in one step.

The URI is a zlib-compressed, Base64-encoded version of the full config file. It’s compact and designed for quick sharing.

Method C: .conf File (Desktop/Windows)

Download the configuration file:

scp root@<SERVER_IP>:/root/awg/my_phone.conf .

Open the AmneziaWG for Windows client or the AmneziaVPN desktop app, click “Import tunnel(s) from file”, and select the .conf file.

Verify the Connection

Once connected, verify the tunnel is routing your traffic through the server:

curl ifconfig.me

The output should show your server’s public IP address, not your local one: 203.0.113.1

For more detail, including the server’s geographic location:

curl -s https://ipinfo.io/json

{
  "ip": "203.0.113.1",
  "city": "Amsterdam",
  "region": "North Holland",
  "country": "NL",
  ...
}

⚠️ Warning: The standard WireGuard client does not work with AmneziaWG 2.0 configurations. You must use the Amnezia VPN app (version 4.8.12.7 or later) or a native AmneziaWG client (version 2.0.0 or later on Windows/Android/iOS).

⚠️ Warning: If you see “Invalid key: s3” on Windows, your AmneziaWG Windows client is outdated (version below 2.0.0). Update to version 2.0.0+ or switch to the Amnezia VPN app.

💡 Tip: If you’re connected but have no internet, check that your client config has MTU = 1280 in the [Interface] section. This is the most common cause of “handshake succeeds but no traffic” on mobile networks.

Your VPN tunnel is working. Here’s where to go from here to get the most out of your setup.

What Next — Extending Your Setup

You now have a DPI-resistant VPN tunnel running on your own server, under your control, with WireGuard-grade speed. The silent packet death that killed your WireGuard connection is no longer a problem — your traffic looks like nothing a DPI system can reliably identify.

Here are the most useful things you can do next:

1. Add clients for your family or team — use the management script to generate configs for every device that needs access.
2. Configure split tunneling if you don’t need full-tunnel routing — it keeps local traffic fast and reduces bandwidth on your VPS.
3. Back up your configs — run the backup command and store the archive somewhere safe. If your server ever needs rebuilding, this is what saves you from starting over.

Configure split tunneling if you don’t need all traffic routed through the VPN. This is especially useful in countries with partial censorship — route only blocked sites through the tunnel and keep local traffic direct:

sudo bash /root/awg/manage_amneziawg.sh modify my_phone AllowedIPs "192.168.1.0/24,10.0.0.0/8"

Change your client DNS if you prefer different resolvers:

sudo bash /root/awg/manage_amneziawg.sh modify my_phone DNS "8.8.8.8,1.0.0.1"

Adjust PersistentKeepalive if you’re on an aggressive NAT setup. The default of 33 seconds maintains the UDP session through NAT — lowering it to 25 can help on networks that drop idle UDP sessions quickly:

sudo bash /root/awg/manage_amneziawg.sh modify my_phone PersistentKeepalive 25

Install on your router for whole-network coverage. AmneziaWG is supported on Keenetic routers via AWG Manager and on ASUS routers running Asuswrt-Merlin via AmneziaWG for Merlin.

Back up your configuration now, before anything changes:

sudo bash /root/awg/manage_amneziawg.sh backup

If you ever need to migrate to a new server, run a fresh install and then:

sudo bash /root/awg/manage_amneziawg.sh restore
sudo bash /root/awg/manage_amneziawg.sh regen

The restore command brings back your configs and keys, and regen updates the client configurations with the new server IP.

For deeper documentation, the official Amnezia docs are at docs.amnezia.org and the community is active on Telegram.

If you’re looking for a reliable VPS to host your AmneziaWG server — or need to scale up with additional endpoints for team members — AvaHost provides KVM virtualization with full root access, NVMe storage, and Ubuntu 24.04 support that this setup requires. Their infrastructure is purpose-built for the kind of self-hosted deployments this guide covers.