AmneziaWG
AmneziaWG is a WireGuard-Go fork that eliminates characteristic network signatures. Version 1.5 introduces protocol masquerading for UDP protocols like QUIC and DNS.
8 Key Advantages
- DPI Invisibility — dynamic headers and randomized packet sizes
- Protocol Masquerading — imitates QUIC, DNS, SIP and other UDP protocols
- High Performance — kernel module with ChaCha20-Poly1305, SIMD optimization
- Energy Efficiency — Go-based userspace, suitable for mobile
- Cross-Platform Support
- UDP Transport
- Configuration Simplicity — specify masquerade protocol, rest auto-fills
- Backward Compatibility — identical to standard WireGuard when obfuscation disabled
How It Works
1. Dynamic Headers
Random constants applied to 4 WireGuard packet formats (Init, Response, Data, Under-Load).
2. Handshake Length Randomization
len(init) = 148 + S1 (S1: 0-64 bytes)
len(resp) = 92 + S2 (S2: 0-64 bytes)3. CPS (Custom Protocol Signature)
Up to 5 UDP packets sent before handshakes:
| Tag | Format | Description |
|---|---|---|
b | <b hex_data> | Static bytes for protocol imitation |
c | <c> | 32-bit packet counter |
t | <t> | Unix timestamp (32-bit) |
r | <r length> | Cryptographically random bytes (≤1000) |
4. Junk Train (Jc)
Pseudo-random packets (Jc count) between Jmin-Jmax bytes.
5. Unchanged Encryption
Identical to WireGuard: Curve25519, ChaCha20-Poly1305, bidirectional key rotation.
Configuration Parameters
| Parameter | Range | Purpose |
|---|---|---|
| I1-I5 | hex-blob | Protocol signature packets |
| S1, S2 | 0-64 bytes | Random prefixes for Init/Response |
| Jc | 0-10 | Junk packet count |
| Jmin, Jmax | 64-1024 bytes | Junk packet size range |
INFO
Zero values = standard WireGuard behavior.
Security
Noise_IK key exchange with Curve25519, AEAD ChaCha20-Poly1305. All existing WireGuard security audits apply.