We got to the core, or new features of AmnesiaWG

Good afternoon

The Amnesia development team is in touch.
Usually our articles are devoted to the original Amnezia client, but today we will mention AmneziaVPN very indirectly, since we will primarily talk about the AmneziaWG protocol and related projects. We will tell you about the native AmneziaWG client. How to make AmneziaWG from a configuration with the WireGuard protocol, and how to deploy your VPN with AmneziaWG on a server without an application.

To be honest, we did not expect such high interest in the protocol. We know that some commercial VPNs are already selling configurations with a ready-made VPN solution, where AmneziaWG is used as a protocol along with the application

Amnesia. AmneziaVPN is an open source project that anyone can use for VPN, including commercial VPN solutions, we hope that this trend will continue.

We recently learned that some very popular Internet equipment manufacturers will support AmneziaWG, which we are also very happy about. We have already written about AmneziaWG in previous articles, but for further discussion it is important to recall the principle of its operation.

About the work of AmnesiaWG.

AmneziaWG is a fork of the WireGuard protocol. We took WireGuard as a basis and made some of the parameters of this protocol (by which it is usually recognized by DPI systems) customizable, that is, if you leave these parameters by default (equal to 0), then AmneziaWG will work like a regular WireGuard.

In AmnesiaWG, the headers of all packages have been changed:

• handshake packet (Initiator to Responder),

• response packet (Responder to Initiator),

• data package, as well as

• special package “Under Load” – the default values ​​are random, but you can change them yourself in the settings.

Random bytes are appended to each auth packet to change their size.
So the “init and response packets” of the handshake additionally have “garbage” at the beginning of the data, the size of which is determined by the values ​​of S1 and S2. By default, the initial handshake packet has a fixed size (148 bytes), and after adding garbage, its size will be 148 bytes +S1. The values ​​for each packet are different for different users, so it is impossible to write a universal rule for tracking. In order to completely confuse DPI systems, Amnezia sends a number of “junk” packets before the session starts. The number of such packets and their minimum and maximum size in bytes is also set in the settings, using the parameters Jc, Jmin and Jmax.

When installing AmneziaWG on a server using AmneziaVPN, the application will automatically set random parameters for each package. That is, you can use it out of the box, just install and connect. However, few people know that any native WireGuard config can be obfuscated to the AmneziaWG level, even without installing Amnezia VPN and AmneziaWG on the server. How? Everything is very simple!

We make AmnesiaWG from WIreGuard.

In order to obfuscate the WireGuard config, you need to add the following parameters to your config: Jc, Jmin, Jmax (you can choose any value for them), and parameters S1 = 0, S2=0, H1=1, H2=2, H3 =3, H4=4. The final config will look something like this:

[Interface]
Address = *** 
PrivateKey = *** 
DNS = *** 
MTU = ***
Jc = <подставить любое значение>
Jmin = <подставить любое значение>
Jmax = <подставить любое значение>
S1 = 0 
S2 = 0
H1 = 1
H2 = 2
H3 = 3
H4 = 4
[Peer]
PublicKey = ***
AllowedIPs = ***
Endpoint = ***
PersistentKeepalive = ***

It is important to remember that the parameters S1, S2 and H1, H2, H3, H4 must remain equal to the specified values ​​(otherwise nothing will work), and you can change the J parameters as you want.

We have not tested obfuscation in this way on a large number of providers, so we will be glad to receive your tests and feedback by email support@amnesia.org or in the telegram group – https://t.me/amnesia_vpn .

Very soon we will add the function of automatic obfuscation of configurations with WireGuard to the Amnezia application, so that you can simply download any config from WireGuard, check the “obfuscate” box and turn it into AmneziaWG with one click.

About the release of a native client for AmneziaWG.

Over the past three months, we have been able to complete the development of a kernel module, which has increased the connection speed and overall traffic speed of AmneziaWG to WireGuard levels. It is also possible to distribute configuration files from AmneziaWG, and open them not only in the AmneziaVPN application, but also in its own native “AmneziaWG” application for IOS, Android and MacOs. Thus, now it is not even necessary to use the AmneziaVPN client to enjoy all the benefits of the AmneziaWG protocol – you can install a package with the AmneziaWG kernel module on the server, and use the lightweight AmneziaWG application from PlayMarket or AppStore as a client.

You can download the native client for AmneziaWG using these links:

GooglePlay – https://play.google.com/store/apps/details?id=org.amnezia.awg

App Store – https://apps.apple.com/us/app/amneziawg/id6478942365

So, if Amnezia is too “heavy” and energy-consuming application for your mobile device, or for some reason you cannot use AmneziaVPN, the native client for AmneziaWG will be an excellent alternative.

The AmneziaWG application works as a native client for WireGuard, and supports configs only with the AmneziaWG protocol.

We deploy Amnezia WG without an application on our own server.

We write a lot about the fact that the Amnezia application does not collect or transmit any data, but many of our users are afraid to enter data into the application to access the server and would like to deploy a VPN with AmneziaWG themselves on a server without the Amnezia application. We have been hearing this request for a long time and are now ready to offer a suitable solution.

With the kernel module, you can deploy VPN with AmneziaWG on a server without an application. Below are detailed instructions on how to do this using the console.

 echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/00-amnezia.conf

  cd /etc/apt/ && cp sources.list sources.list.backup && sed "s/# deb-src/deb-src/" sources.list.backup > sources.list

  apt update -y && apt upgrade -y

reboot

add-apt-repository -y ppa:amnezia/ppa && apt install -y amneziawg

awg genkey | tee privatekey | awg pubkey > publickey

[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = <SERVER_TUNNEL_IP>
ListenPort = <PUBLIC_PORT>
Jc = <JC>
Jmin = <JMIN>
Jmax = <JMAX>
S1 = <S1>
S2 = <S2>
H1 = <H1>
H2 = <H2>
H3 = <H3>
H4 = <H4>

[Peer]
PresharedKey = <PRESHARED_KEY>
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = <CLIENT_TUNNEL_IP>

[Interface]
PrivateKey = UPJ2MXxeXyDgxX90rx1Exmrkpv2akeBplCz/FjwAAHw=
Address = 10.8.1.1/24
ListenPort = 56789
Jc = 7
Jmin = 50
Jmax = 1000
S1 = 68
S2 = 149
H1 = 1106457265
H2 = 249455488
H3 = 1209847463
H4 = 1646644382

[Peer]
PresharedKey = q6vQ8gZBjvmv7kJS0o1cWS8TB33j9zDQkE4259lSc+s=
PublicKey = v/jQKE9HWa9ia2hcvBQSSVGaPN/DFjPPIn0+Jx4GiEo=
AllowedIPs = 10.8.1.2/24

nft add rule ip filter input udp dport == <PUBLIC_PORT> iif <EXTERNAL_NIC_NAME> accept

nft add rule nat postrouting iif <TUNNEL_NIC_NAME> oif <EXTERNAL_NIC_NAME> masquerade

nft add rule ip filter input udp dport == 46657 iif enp6s18 accept

nft add rule nat postrouting iif awg0 oif enp6s18 masquerade

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = <CLIENT_TUNNEL_IP>
Jc = <JC>
Jmin = <JMIN>
Jmax = <JMAX>
S1 = <S1>
S2 = <S2>
H1 = <H1>
H2 = <H2>
H3 = <H3>
H4 = <H4>

[Peer]
PresharedKey = <PRESHARED_KEY>
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <PUBLIC_IP>:<PUBLIC_PORT>
AllowedIPs = <COMMA-SEPARATED_LIST_OR_NETWORKS_ROUTED_THROUGH_THE_TUNNEL>

[Interface]
PrivateKey = eCINnKoSp6ICB+IZ83NGBSMV1PNftcNcCx15hF3QyWY=
Address = 10.8.1.2/24
Jc = 7
Jmin = 50
Jmax = 1000
S1 = 68
S2 = 149
H1 = 1106457265
H2 = 249455488
H3 = 1209847463
H4 = 1646644382

[Peer]
PresharedKey = q6vQ8gZBjvmv7kJS0o1cWS8TB33j9zDQkE4259lSc+s=
PublicKey = tyq1Hw/6DoDvzGvvQKNAAKg4oNaCfjaIs+kSso/5e3A=
Endpoint = 1.2.3.4:56789
AllowedIPs = 0.0.0.0/0

In conclusion, I would like to leave links to our products and groups. Thank you for your attention, and see you in the next articles!

Amnesia WG: Google Play App Store

Amnesia.org

AmneziaFree-bot in telegram – Free VPN from Amnesia