Set up an AmneziaWG obfuscated VPN on any supported Linux server in under 2 minutes β with an optional web panel and an optional traffic-obfuscation proxy.
VPN install β (optional) Web panel β (optional) Obfuscation proxy β Manage clients
This project started as a fork of RomikB/amneziawg-install. I needed a reliable way to stand up AmneziaWG 2.0 servers for testing WireSock Secure Connect, and the upstream script predated the 2.0 release β so I took it and extended it to generate and manage the new 2.0 obfuscation parameters (S3/S4 padding and the H1βH4 header ranges).
Once the installer was solid, it was hard to stop:
amneziawg-install.shβ the original script, extended for AmneziaWG 2.0 (S3/S4, H1βH4, migration from pre-2.0 installs).amneziawg-web.shβ a web panel for managing clients without touching the CLI.amneziawg-proxy.shβ a UDP obfuscation proxy that takes traffic camouflage to the next level: it wraps AmneziaWG so the datagrams on the wire look like a legitimate QUIC, DNS, STUN, or SIP service to Deep Packet Inspection (DPI).
β οΈ amneziawg-proxy is most powerful with WireSock Secure Connect 3.5+. The proxy's full protocol-imitation feature set β coordinated client/server cover traffic, junk-packet shaping, and per-protocol padding β is only fully unleashed when paired with WireSock Secure Connect 3.5 or later on the client side. Standard AmneziaWG clients still connect through the proxy and benefit from the server-side obfuscation, but the bidirectional imitation requires the WireSock client.
VPN only (required):
curl -O https://raw.githubusercontent.com/wiresock/amneziawg-install/main/amneziawg-install.sh
chmod +x amneziawg-install.sh
sudo ./amneziawg-install.shAdd the web panel (optional):
curl -O https://raw.githubusercontent.com/wiresock/amneziawg-install/main/amneziawg-web.sh
chmod +x amneziawg-web.sh
sudo ./amneziawg-web.sh installNote: The web panel installer requires
gitto bootstrap the repository when run standalone. Ifgitis not available, clone the repository manually or use--binary-srcwith a pre-built binary.
Add the obfuscation proxy (optional):
curl -O https://raw.githubusercontent.com/wiresock/amneziawg-install/main/amneziawg-proxy.sh
chmod +x amneziawg-proxy.sh
sudo ./amneziawg-proxy.shMakes the VPN traffic look like QUIC/DNS/STUN/SIP to DPI. See Traffic Obfuscation Proxy.
β After installation:
- VPN server is running
- A client config file is generated at
~/awg0-client-<name>.conf - (If installed) Web panel listens on
127.0.0.1:8080by default β access it on the server athttp://127.0.0.1:8080, or changeAWG_WEB_LISTEN/ use a reverse proxy for remote access
amneziawg-install.shβ required. Installs the VPN server, generates obfuscation parameters, and creates client configs.amneziawg-web.shβ optional. Unified script for:installβ install the web panelupgradeβ upgrade the binaryuninstallβ remove the panelstatusβ show installation status
amneziawg-proxy.shβ optional. Installs and manages the UDP obfuscation proxy that fronts AmneziaWG and makes the traffic look like QUIC, DNS, STUN, or SIP. See Traffic Obfuscation Proxy below.
| Goal | What to run |
|---|---|
| VPN server only | amneziawg-install.sh |
| VPN + web panel | amneziawg-install.sh then amneziawg-web.sh install |
| VPN + DPI-resistant obfuscation | amneziawg-install.sh then amneziawg-proxy.sh |
| Everything | amneziawg-install.sh, then amneziawg-web.sh install, then amneziawg-proxy.sh |
| Advanced / development | Clone the repo, then run the scripts from the checkout |
Most users should start here.
- Update your system and reboot before installing.
- Run the commands from Quick Start.
- Answer the prompts. The script installs AmneziaWG, configures the server, and generates a client config file.
- Run the script again at any time to add or remove clients.
β οΈ Requires VPN to be installed first (amneziawg-install.sh).
Use the Quick Start commands above, or clone the repository (best for teams or repeated upgrades):
git clone https://github.com/wiresock/amneziawg-install.git
cd amneziawg-install
sudo ./amneziawg-install.sh
sudo ./amneziawg-web.sh installThe installer automatically downloads required files and builds the panel.
Add --install-rust if Rust is not already installed on the server.
See amneziawg-web/docs/INSTALL.md for all installer options.
β οΈ Requires VPN to be installed first (amneziawg-install.sh).
amneziawg-proxy is an async UDP proxy (written in Rust) that sits in front of
your AmneziaWG server and disguises the traffic so that, to Deep Packet
Inspection (DPI), the port appears to host an ordinary QUIC, DNS, STUN, or
SIP service. AmneziaWG's own obfuscation already hides the WireGuard
fingerprint; the proxy adds a second layer that makes the packets positively
resemble a known, allowed protocol instead of merely looking random.
π‘ Best paired with WireSock Secure Connect 3.5+. The proxy obfuscates the server β client direction on its own. Bidirectional imitation β where the client β server direction is camouflaged too β requires WireSock Secure Connect 3.5 or later, which implements the matching client-side protocol imitation and junk-packet shaping.
The proxy installer detects the AWG interface, rebinds AmneziaWG to loopback, builds the binary, and installs a systemd service. One command does it all:
curl -O https://raw.githubusercontent.com/wiresock/amneziawg-install/main/amneziawg-proxy.sh
chmod +x amneziawg-proxy.sh
sudo ./amneziawg-proxy.shRun with no arguments and it walks you through guided prompts. Run it again later and it shows a management menu (status, logs, reconfigure, uninstall).
Non-interactive examples. amneziawg-proxy.sh forwards any flags to the
installer (cloning the helper scripts on the fly when run standalone), so the
one downloaded file is all you need:
# QUIC imitation (safest default) β public :51820 β loopback :51821
sudo ./amneziawg-proxy.sh \
--non-interactive --listen-port 51820 --protocol quic
# DNS imitation that also answers real DNS queries (run on port 53)
sudo ./amneziawg-proxy.sh \
--non-interactive --listen-port 53 --protocol dns \
--dns-forward --dns-upstream 1.1.1.1:53
# STUN imitation (port 3478, WebRTC/NAT-permissive networks)
sudo ./amneziawg-proxy.sh \
--non-interactive --listen-port 3478 --protocol stunFull option reference, configuration keys, and troubleshooting live in amneziawg-proxy/doc/USAGE.md. Internal design and packet-level walkthroughs are in amneziawg-proxy/doc/ARCHITECTURE.md.
After install, all client traffic flows through the proxy, which AmneziaWG no longer exposes directly:
βββββββββββββββββββββββββββββββββββββ
VPN client ββββ UDP ββββΊβ 0.0.0.0:51820 amneziawg-proxy β
(DPI sees QUIC/DNS/ β β β
STUN/SIP) β βΌ β
β 127.0.0.1:51821 awg0 (AmneziaWG)β
βββββββββββββββββββββββββββββββββββββ
The proxy does two complementary things:
- Probe response. When a scanner or DPI box sends a protocol probe
(a QUIC Initial, a DNS query, a STUN Binding Request, a SIP request), the
proxy replies with a valid protocol response β a QUIC Version Negotiation,
a DNS answer, a STUN Binding Success, a SIP
100 Trying. The port therefore behaves exactly like the service it is pretending to be when actively probed. - Padding transformation. Every outgoing AmneziaWG packet already carries a random S1βS4 padding prefix. The proxy overwrites that prefix with protocol-conformant bytes (a QUIC short header, a DNS/STUN header, SIP header text) so the leading bytes and byte-distribution of each datagram match the imitated protocol β while the encrypted WireGuard payload that follows is left untouched.
| Mode | What DPI sees | Typical port | Good for |
|---|---|---|---|
quic |
QUIC 1-RTT / Version Negotiation | 443 | QUIC/HTTP-3-heavy networks (safest default) |
dns |
DNS query/response (optionally real) | 53 | DNS-filtered networks |
stun |
STUN Binding traffic | 3478 | WebRTC / NAT-traversal-permissive networks |
sip |
SIP signaling | 5060 | VoIP-permissive networks |
auto |
Whatever the client probes for | β | Mixed-probe environments |
STUN mode β an outgoing server packet on the wire. The padding prefix is rewritten as a well-formed STUN message; a packet-capture tool dissects it as STUN and leaves the encrypted AmneziaWG payload as trailing bytes:
01 01 00 1c 21 12 a4 42 4f 7a 1c β¦ β STUN: Binding Success Response, msg length 0x1c, cookie 0x2112A442
00 20 00 08 00 01 β¦ β XOR-MAPPED-ADDRESS attribute (12 B)
80 22 00 0c β¦ β SOFTWARE attribute (16 B; fills the prefix) β 12 + 16 = 0x1c
β¦ encrypted AmneziaWG payload β¦ β opaque ciphertext (trails the message, not parsed)
QUIC mode β a probe and its response. A DPI box sends a QUIC Initial; the proxy answers with a valid Version Negotiation packet, swapping the connection IDs per RFC 9000:
β c3 00000001 04 aabbccdd 00 QUIC Initial probe (DCID=AABBCCDD)
β c3 00000000 00 04 aabbccdd 00000001 Version Negotiation (SCID echoes the DCID)
DNS mode β a query answered for real. With --dns-forward, a DNS probe is
forwarded to the upstream resolver and the genuine answer is returned, so the
port doubles as a working resolver while still tunneling VPN traffic.
To inspect it yourself, capture on the server's public port and open the capture in Wireshark β frames decode cleanly as the imitated protocol, with no "malformed" or WireGuard markers:
sudo tcpdump -i any -w awg-proxy.pcap udp port 51820Re-running amneziawg-proxy.sh on an installed host opens a management menu
(status, logs, reconfigure, uninstall) β the simplest path, and it works from
the single downloaded file:
sudo ./amneziawg-proxy.shFrom a repository checkout you can also drive the uninstaller non-interactively
(keeps config/data by default; add --restore-awg to rebind AWG to the public
port):
sudo ./amneziawg-proxy/scripts/amneziawg-proxy-uninstall.sh --force- VPN client config is saved to
~/awg0-client-<name>.conf. Import it into any AmneziaWG client app. - Web panel listens on
127.0.0.1:8080by default. Access it on the server athttp://127.0.0.1:8080, or changeAWG_WEB_LISTEN/ use a reverse proxy for remote access. - Re-run
sudo ./amneziawg-install.shto add or remove VPN clients interactively. - Check the web panel status at any time:
./amneziawg-web.sh status
The
statuscommand does not requiresudo.
All web panel lifecycle actions use the same script:
Upgrade the web panel:
sudo ./amneziawg-web.sh upgradeUninstall the web panel (keeps config and data):
sudo ./amneziawg-web.sh uninstall --forceUninstall and purge all data:
sudo ./amneziawg-web.sh uninstall --purge-config --purge-data --forceThe script works standalone β it automatically downloads required files when run.
Skip all prompts and use sensible defaults:
sudo AUTO_INSTALL=y ./amneziawg-install.shOverride specific defaults with environment variables:
| Variable | Default |
|---|---|
SERVER_PUB_IP |
Auto-detected |
SERVER_PUB_NIC |
Auto-detected |
SERVER_AWG_NIC |
awg0 |
SERVER_AWG_IPV4 |
10.66.66.1 |
SERVER_AWG_IPV6 |
fd42:42:42::1 |
ENABLE_IPV6 |
y if the host has IPv6, otherwise n |
SERVER_PORT |
Random (49152β65535) |
CLIENT_DNS_1 |
1.1.1.1 |
CLIENT_DNS_2 |
1.0.0.1 |
ALLOWED_IPS |
0.0.0.0/0,::/0 (IPv4 only when ENABLE_IPV6=n) |
Set ENABLE_IPV6=n for an IPv4-only deployment: the server interface, firewall
rules, and all generated client configs omit IPv6 (no IPv6 address, no ::/0
route), which avoids route-setup errors on hosts where IPv6 is disabled.
Example:
sudo AUTO_INSTALL=y SERVER_PORT=51820 CLIENT_DNS_1=8.8.8.8 ./amneziawg-install.sh
# IPv4-only server
sudo AUTO_INSTALL=y ENABLE_IPV6=n ./amneziawg-install.shThe install script also supports non-interactive flags for automation and scripting:
# Add a new client
sudo ./amneziawg-install.sh --add-client alice
# Remove a client
sudo ./amneziawg-install.sh --remove-client alice
# List all clients
sudo ./amneziawg-install.sh --list-clientsSupported Linux distributions:
- Debian β₯ 11
- Ubuntu β₯ 22.04
Temporarily disabled:
- Fedora (RPM-based)
- AlmaLinux (RPM-based)
- Rocky Linux (RPM-based)
Reason: verified AmneziaWG 2.0 packages are not currently available for these RPM-based distributions. Please watch this repository's releases and README for support status updates.
2 GB of free space required for temporary build files.
βοΈ AmneziaWG 2.0 Parameters
AmneziaWG 2.0 adds S3/S4 and H1βH4 range parameters for enhanced traffic obfuscation. The installer generates all values automatically.
| Parameter | Range | Constraint |
|---|---|---|
| Jc | 1β128 | β |
| Jmin | 1β1280 | Jmin β€ Jmax |
| Jmax | 1β1280 | Jmin β€ Jmax |
| S1 | 15β150 | S1 + 56 β S2 and S2 + 56 β S1 |
| S2 | 15β150 | S1 + 56 β S2 and S2 + 56 β S1 |
| S3 | 15β150 | S3 + 56 β S4 and S4 + 56 β S3 |
| S4 | 15β150 | S3 + 56 β S4 and S4 + 56 β S3 |
| H1βH4 | 5β2147483647 | Ranges must not overlap |
H parameters accept a range (min-max) or a single value.
π Migration from Pre-2.0
Run the installer on an existing pre-2.0 installation. It detects the need for migration and prompts before proceeding.
Important: All existing client configs become incompatible after migration. Regenerate them using option 1 (Add a new user) in the management menu.
Migration steps:
- Creates
.bakbackup files before making any changes. - Generates new S3/S4 values with bidirectional constraint validation.
- Converts single H values to range format (or regenerates if overlapping).
- Updates server config and params file atomically.
- Renames outdated client configs with
.oldsuffix. - Reloads the running VPN service (if active).
Backups are restored automatically if migration fails.
π Security Notes
- Shell injection prevention β params file values are safely shell-quoted.
- Atomic writes β config updates use a temp file + rename to prevent corruption on interruption.
- Filesystem boundary protection β client config search uses
-xdevto stay within the config filesystem.
Fork of RomikB/amneziawg-install.
This is an independent, community-maintained project. It is not affiliated with, endorsed by, sponsored by, or otherwise associated with Amnezia (amnezia.org), the Amnezia VPN application, or the Amnezia Free VPN service. The project merely builds on the open-source AmneziaWG protocol and tooling. "Amnezia", "AmneziaWG", and any related names, logos, and trademarks are the property of their respective owners and are used here only for identification.
Likewise, this installer is provided as-is with no warranty (see License); you are responsible for how you deploy and use it.
MIT License