AmneziaWG

张无忌

AmneziaWG /æmˈniː.ʒə.dʌb.əl.juː.dʒiː/

AmeziaVPN 是从俄罗斯出，WireGuard （简称 WG）出现，又整合 WG 便是为 AmneziaWG [1]，中文不多只有一篇 AmneziaWG [2, 3]。

因为 GFW DPI 会知道 WG 开始

In WireGuard, the Init packet is exactly 148 bytes, Response is 92 bytes, Cookie is 64 bytes, and Data has variable size (payload). AmneziaWG adds pseudorandom prefixes S1, S2, S3, and S4 (0 to 32/64 bytes):

len(init) = 148 + S1
len(resp) = 92 + S2
len(cookie) = 64 + S3
len(data) = payload + S4

Jc, Jmin, Jmax
S1, S2, S3, S4
H1, H2, H3, H4
I1, I2, I3, I4, I5


References:
[1] https://docs.amnezia.org/documentation/amnezia-wg/
[2] https://appscross.com/blog/start ... -of-amneziavpn.html
[3] 简单搭建amneziawg VPN

张无忌

Table of contents

AmneziaWG
VPS Linux 安装 AmneziaWG


目录 AmneziaWG

张无忌

AmneziaWG

AmneziaWG operates within the framework of backward compatibility. The AmneziaWG implementation allows for the modification of certain static parameters in WireGuard, which are typically recognized by DPI systems. If these parameters are left at their default values (set to 0), the protocol functions like regular WireGuard.

In AmneziaWG, the headers of all packets are modified: the handshake packet (Initiator to Responder), the response packet (Responder to Initiator), the data packet, and a special "Under Load" packet — these are randomized values, but they can be changed in the settings. Because each user has different headers, it's virtually impossible to devise a universal rule based on headers alone to detect and block the protocol.

Another weak point of WireGuard is the size of authentication packets. In AmneziaWG, random bytes are appended to each auth packet to alter their size. Thus, the handshake packets additionally contain "garbage" at the beginning of the data, the size of which is determined by the values S1 and S2. By default, the initiating handshake packet has a fixed size (148 bytes), and after adding garbage, its size will be 148 bytes + S1.

The AmneziaWG implementation includes another trick for more reliable masking. Before starting a session, Amnezia sends a certain number of "junk" packets to thoroughly confuse DPI systems. The number of such packets and their minimum and maximum sizes in bytes are also set in the settings, with parameters Jc, Jmin, and Jmax.

In regions with a high level of internet censorship, we recommend using AmneziaWG from the first connection.


Reference:
[1] https://docs.amnezia.org/documentation/how-amnezia-works

目录 AmneziaWG

张无忌

VPS Linux 安装 AmneziaWG

但是没有 Amnezia 安装 AmneziaWG，而在 [1] 有一个 package 没有，不知道怎么进行。而 AmneziaWG 2.0 Linux 要求 Debian 13，而所有的 VPS 一般都是 Debian 12。

我早期日本买了 Linux VPS（腾讯云东京）有了 Debian 13，在安装有发现问题，于是问 Gemini 说出安装在大陆的 device 里，选用 iPhone 安装了 AmneziaVPN App，把日本 VPS 的 IP，root and password 输进去，它会自动 AmneziaWG（remote login VPS by iPhone） 安装好，在手机按 select "Connect" 一下变成 "Connected"。

AmneziaVPN（用 AmneziaWG）昨天一直连日本都没有问题，早今天一整天都没有问题。
6月9日晚上安装，connected
6月10日 connected（没有改过 settings）
6月11日 connected（没有改过 settings）
6月12日 connected（没有改过 settings）
6月13日 continued


Reference:
[1] 简单搭建amneziawg VPN

目录 AmneziaWG

freshtomato

5月中試過，Glinet router stock firmware 4.8.4 AmneziaWG server and Glinet router stock firmware 4.8.4 AmneziaWG client, server at HK netvigator home public IP, client at Guangdong, first 20 min is OK very smooth, like the normal WG, After 20 min, AmneziaWG line was QOS or broken by GFW. Don’t use anymore.

Glinet stock firmware 4.8.4 include AmneziaWG encryption, I don’t need to learn how to install it.

FYI

张无忌

回覆 5# freshtomato

Based on your information stock firmware 4.8.4 GL.iNet on both routers, I believe they are of Flint 2 (GL-MT6000). They were installed AmneziaWG server in Hong Kong and client in Guangdong province. Since you had not mentioned the AmneziaWG settings Jc, Jmin, Jmax; S1, S2, S3, S4; H1, H2, H3, H4; I1, I2, I3, I4, I5, I cannot give you advice about it.

If you do not need to learn how to install it, the result was the same as ordinary WireGuard. For the time being I only use the original WireGuard and sometimes I need to adjust the port(s). Instead of directing the Hong Kong residential PCCW router, I use the transfer method via Aliyun VPS (change my Mainland residential IP transferred to Aliyun  IP) to Hong Kong PCCW router. The results were very satisfactory.

freshtomato

All the AmneziaWG setting both server/client from Glinet,  I just make sure the WG router server was HK public IP address, don’t use DDNS for safety. I also compare the AmneziaWG peer file vs Normal WG peer file, AmneziaWG client peer file have more header (like you mention above).  I ask Gemini, AmneziaWG peer file is incompatible to normal WireGuard server.

Since I was successfully connected around 20 min, after a while the line was broken.

My conclusion on MY case, the AmneziaWG connection was success, but GFW find a way to detect and break the line. 道高一尺 魔高一丈 (完）

jk1399

又係CMK，你自貼自樂，根本無人理你貼乜

t101

不如你試下搵AI試下改source code，仲多嘢可以試
我玩緊

xo_ox

這些文章，我又覺得OK wow !
參考參考ok 吖