AmneziaWG on a VPS: Obfuscated WireGuard That Defeats DPI

WireGuard is fast and clean, but that cleanliness is exactly what makes it easy to censor. Every standard WireGuard session begins with a handshake initiation message that has a fixed 148-byte length and a recognizable first byte (message type 0x01). The handshake response is always 92 bytes. A deep packet inspection (DPI) box does not need to break the encryption to block you - it only has to match those byte patterns and packet sizes, then drop the UDP flow or throttle it to uselessness.

This is precisely what state DPI systems in Russia (TSPU), Iran and China do. Once they fingerprint the handshake, plain WireGuard dies within seconds of connecting, and the IP often gets flagged for further scrutiny. AmneziaWG was built to remove that fingerprint while keeping WireGuard's speed and Noise-protocol cryptography intact.

AmneziaWG (a fork of wireguard-go) adds obfuscation parameters that distort the parts of the protocol DPI keys on. Set them all to zero and it behaves like ordinary WireGuard, which makes migration painless. The parameters fall into three groups:

• Junk packets - Jc, Jmin, Jmax. Before every handshake the client sends Jc junk packets (recommended 0-10) of random size between Jmin and Jmax bytes (typically 64-1024). They carry no data, so they only need to be set on the client side. To DPI, the real handshake is now buried in a burst of random-length noise.
• Header randomization - H1, H2, H3, H4. Every WireGuard message starts with a 4-byte type field (1=init, 2=response, 3=cookie, 4=data). AmneziaWG replaces those static values with custom 32-bit headers. H1-H4 must each be unique and must match on both client and server, so the tell-tale 0x01 init byte simply no longer exists on the wire.
• Packet padding - S1, S2, S3, S4. Random prefix bytes (0-64 for S1-S3, 0-32 for S4) are prepended to the init, response, cookie and data messages. This breaks the fixed 148/92-byte length signatures. Padding must be identical on both ends.

The net effect: a censor's DPI engine sees a stream of UDP datagrams with unpredictable headers, varying lengths and a handshake smeared across junk traffic. There is no stable pattern left to match, so the flow looks like generic encrypted UDP rather than a known VPN protocol.

Running your own server gives you a clean, unflagged IP that no commercial VPN shares - the single biggest factor in staying unblocked. Spin up a VPS in a privacy-friendly jurisdiction, then install the kernel module or the Go userspace implementation:

git clone https://github.com/amnezia-vpn/amneziawg-linux-kernel-module
cd amneziawg-linux-kernel-module/src && make && sudo make install
# userspace alternative (no kernel build):
# go install github.com/amnezia-vpn/amneziawg-go@latest

The config file mirrors WireGuard but adds the obfuscation keys under [Interface]:

[Interface]
PrivateKey = <server-private-key>
Address = 10.13.13.1/24
ListenPort = 51820
Jc = 4
Jmin = 50
Jmax = 1000
S1 = 86
S2 = 574
H1 = 1234567890
H2 = 2345678901
H3 = 3456789012
H4 = 4123456789

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.13.13.2/32

Bring it up with awg-quick up awg0. The Jc/Jmin/Jmax values can differ per client, but every device must share identical S1-S4 and H1-H4 values with the server or the tunnel will never establish. Pick the same headers once and reuse them across all your peers. Choose a non-default ListenPort (avoiding 51820 itself) to dodge port-based blocking, and consider 443/udp where QUIC is common.

For a side-by-side comparison and a vanilla setup first, see our WireGuard VPS setup guide. AmneziaWG is a drop-in upgrade once plain WireGuard works.

AmneziaWG is the right tool in heavily censored networks where DPI actively fingerprints protocols:

• Russia. TSPU equipment blocks plain WireGuard and many commercial VPN endpoints. A self-hosted AmneziaWG server on a fresh IP routinely survives where stock WireGuard is cut within seconds.
• Iran and China. Both run aggressive DPI and active probing. Header randomization plus junk packets remove the static signatures their systems rely on. For the strictest networks, AmneziaWG is often paired with a protocol like VLESS+Reality as a fallback layer.
• ISP throttling. Some providers throttle anything that looks like a VPN. Because AmneziaWG no longer matches a VPN signature, it usually avoids the throttle entirely.

It is overkill in uncensored networks - plain WireGuard is simpler and slightly faster there. The trade-off is minor: junk packets add a little overhead, and you must keep client and server obfuscation values in sync. For most users in restricted regions that cost is well worth an unblocked, low-latency tunnel.

The infrastructure matters as much as the protocol. A shared commercial VPN IP that thousands of people use is easy to blacklist; a private offshore VPS with a dedicated IP is not. Pair AmneziaWG with an offshore VPS in a jurisdiction that ignores foreign data requests, or step up to a dedicated offshore server if you need more bandwidth for multiple users. Pay in Bitcoin or Monero and only an email is needed to register.