We create our own VPN with the AmneziaWG protocol protected from blocking, or WireGuard at maximum speed

Hi all! Perhaps very soon various news and IT resources will clear up information about ways to bypass blocking. Until this happens, let’s stock up on useful guides and deploy our own VPNs with protocols protected from blocking. I’ll tell you how to do this, how Amnezia has changed and how we protected WireGuard from blocking.

The mini-guide is at the end of the article, and first I’ll say a few words about the project. Amnezia is a free, open source, self-hosted application. Amnezia allows you to create a personal VPN on your personal server in two clicks. The user just needs to purchase a virtual server (VPS) from any VPS provider and enter the server data into the application and select the censorship level for his region. More details about the operating principle in previous article.

Over the life of the project, we have added many protocols, including WireGuard, OpenVPN and IKEv2 for Windows. And after the start of mass blocking of sites and VPN protocols in Russia, we seriously thought about vulnerabilities to DPI systems and added support for ShadowSocks and OpenVPN over Cloak.

The first versions of ShadowSocks turned out to be vulnerable to blocking in many countries, so in the future we plan to add it in a more modern and secure interpretation. OpenVPN over Cloak, on the contrary, has proven to be very resistant to blocking, and is now used by residents of Iran, Turkmenistan and China. This is one of the few solutions that is currently not subject to blocking in these regions.

Despite all the advantages, OpenVPN over Cloak slows down the Internet in many cases, so we started looking for a secure protocol with faster speeds. We thought a lot, and temporarily putting aside other tasks, we came to a decision – to simply protect everyone’s favorite WireGuard. So, based on WireGuard-GO, we released our own fork – AmnesiaWG. It is already available in the Amnesia app.

A little about how AmnesiaWG works:

Protocol works within backward compatibility. That is, the implementation of AmneziaWG allows you to change some static parameters in WireGuard, by which this protocol is usually recognized by DPI systems. And if you leave these parameters by default (equal to 0), then the protocol works like regular WireGuard.

In AmneziaWG, the headers of all packets have been changed: the handshake packet (Initiator to Responder), the response packet (Responder to Initiator), the data packet, as well as the special “Under Load” packet – by default they have random values, but you can change them yourself in the settings.

Since the packet headers are different for each user, it is simply impossible to write a universal rule based on the headers for tracking systems to calculate the protocol and block.

Another weak point of WireGuard is the size of authorization packets. In AmneziaWG, random bytes are appended to each auth packet to change their size. So the “init and response packets” of the handshake additionally have “garbage” at the beginning of the data, the size of which is determined by the values ​​of S1 and S2. By default, the initial handshake packet has a fixed size (148 bytes), and after adding garbage, its size will be 148 bytes +S1.

The AmneziaWG implementation also provides one more trick for more reliable camouflage. Before the start of the session, Amnezia sends a number of “junk” packets to completely confuse the DPI systems. The number of such packets and their minimum and maximum size in bytes is also set in the settings, using the parameters Jc, Jmin and Jmax.

We have already managed to successfully test AmneziaWG in China and Russia. It turned out that in terms of speed it is almost as good as regular WireGuard. By the way, we will be glad if you join the testing and write us your impressions at support@amnezia.org, how to start testing is described in the mini-guide at the end of the article.

A little about the new design of Amnesia.

In addition to the new protocol, Amnesia Version 4 is fundamentally different from previous versions in design. Three years ago, Amnezia was a one-man project, and it was then that the design, which has remained unchanged to this day, was created. Now Amnezia is an application with many protocols and services, on which a whole team is working. We are trying to make it more pleasant to use.

So the fourth version is now performed entirely in a dark theme. We also tried to make the application much clearer so that every user can find the function or button that he needs. We have also increased the speed of the UI, which allows us to get rid of micro-delays and old bugs. Regression bugs from version 3 of the application were also fixed and convenient little things were added. The most important thing is that we have finally added Russian and Chinese to English, and we are planning to add Farsi in the near future.

In addition to the application, we have a new Website with 30 new instructions for each user scenario, and the section with instructions for purchasing VPS has been redesigned, so now everyone can find the answer to any question related to the application. In general, it is better to show it once than to write a lot of text.https://amnesia.org/

Mini guide

Thank you for reading. As promised, a mini-guide on creating your own VPN with WireGuard protection from blocking – AmneziaWG.

1. We buy any VPS from any hosting provider. It is important that the operating system is Ubuntu (the officially supported version is 22.04), or Debian 11. Here here There are step by step instructions as an example, but you can choose any other.

2. Installing the application Amnesiathere are versions for Windows, Linux, MacOS, IOS and Android.

3. We enter the server data into the application and select “Medium or High” censorship level (or manually select the AmneziaWG protocol). Well, click “Connect”!

Profit! Now you have your own VPN with a protocol protected from blocking AmnesiaWG. It can be used on an unlimited number of devices and shared with other people.