this post was submitted on 06 Apr 2026
87 points (96.8% liked)

Selfhosted

58265 readers
437 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
87
amneziawg-installer: one-command VPN server that works where WireGuard gets blocked (github.com)
submitted 12 hours ago by bivlked@lemmy.world to c/selfhosted@lemmy.world
15 comments fedilink hide all child comments
 

WireGuard is blocked by DPI in 10+ countries now. AmneziaWG 2.0 is a fork that makes the traffic look like random noise - DPI can't tell it apart from normal UDP. Same crypto under the hood, negligible speed overhead.

I wrote an installer that handles the whole setup in one command on a clean Ubuntu/Debian VPS - kernel module, firewall, hardening, client configs with QR codes. Pure bash, no dependencies, runs on any $3/month box. MIT license.

Been running it from Russia where stock WireGuard stopped working mid-2025.

top 15 comments
sorted by: hot top controversial new old
[–] litchralee@sh.itjust.works 11 points 11 hours ago (1 children)

Ok, I'm curious as to the DPI claims. Fortunately, AmneziaWG describes how it differs from WG here: https://docs.amnezia.org/documentation/amnezia-wg/

In brief, the packet format of conventional WireGuard is retained but randomized shifts and decoy data is added, to avail the packets with the appearance of either an unknown protocol or of well-established chatty protocols (eg QUIC, SIP). That is indeed clever, and their claims seem to be narrow and accurate: for a rule-based DPI system, no general rule can be written to target a protocol that shape-shifts its headers like this.

However, it remains possible that an advanced form of statistical analysis or MiTM-based inspection can discover the likely presence of Amnezia-obfuscated WireGuard packets, even if still undecryptable. This stems from the fact that the obfuscation is still bounded to certain limits, such as adding no more than 64 Bytes to plain WireGuard init packets. That said, to do so would require some large timescales to gather statistically-meaningful data, and is not the sort of thing which a larger ISP can implement at scale. Instead, this type of vulnerability would be against particularized targets, to determine if covert communications is happening, rather than decrypting the contents of said communication.

For the sysadmins following along, the threat of data exfiltration is addressed as normal: prohibit unknown outbound ports or suspicious outbound destinations. You are filtering outbound traffic, right?

[–] Allero@lemmy.today 7 points 10 hours ago

As someone living in Russia, it indeed works to trick complex DPI systems. Unlike classic Wireguard, it works.

[–] probable_possum@leminal.space 9 points 12 hours ago (4 children)

DPI?

[–] non_burglar@lemmy.world 12 points 10 hours ago (1 children)

Deep packet inspection. Looking for patterns in the actual headers and payload of packets. Computationally expensive.

[–] probable_possum@leminal.space 5 points 9 hours ago* (last edited 7 hours ago)

Thanks to all replyers. My brain came up with dots per inch, which didn't make any sense at all.

[–] noahimesaka1873@lemmy.funami.tech 20 points 12 hours ago

Deep Packet Inspection

[–] autriyo@feddit.org 3 points 11 hours ago

Wasn't sure either, looked it up quickly...

In this context it's probably referring to Deep Packet Inspection, some technique to determine traffic type, and then blocking specific (Wireguard and/or OVPN) traffic.

[–] devfuuu@lemmy.world 1 points 9 hours ago (1 children)

Deep package insertion.

[–] DataCrime@lemmy.dbzer0.com 2 points 4 hours ago

This baby’s built for deep penetration, not speed!

[–] irmadlad@lemmy.world 4 points 11 hours ago (1 children)

WireGuard is blocked by DPI in 10+ countries now.

So, explain this to me. I hear people talk about blocked VPNs, and it's true that some websites do block most, if not all, VPN. However, you mentioned Russia, and I use Wireguard, and I have no issues accessing Russian sites. I just visited government.ru. So, is the problem getting out of Russia, or getting in?

[–] rtxn@lemmy.world 19 points 11 hours ago* (last edited 11 hours ago) (1 children)

Been running it from Russia where stock WireGuard stopped working mid-2025.

Sounds like the issue is ISPs within Russia blocking outgoing Wireguard traffic from customers.

If the traffic exits the tunnel without hitting a Russian ISP (e.g. a Mullvad exit node in Sweden that routes the unencrypted traffic to the destination), you won't be affected. If the exit node is behind a Russian ISP, it might get filtered by DPI depending on which direction is subject to the filter.

[–] irmadlad@lemmy.world 1 points 10 hours ago (1 children)

Right, but if you have the ability to block wireguard coming out of Russia, wouldn't it make sense to block Wireguard or any other VPN protocol into Russia? I mean, China is rather notorious for blocking VPN usage but citizens still use them to access the internet. I would imagine Chinese citizens would use something like a combination of WireGuard with obfuscation like stunnel, cloaking, domain fronting-like setups, and proxy chains.

[–] rtxn@lemmy.world 6 points 10 hours ago

Read my comment again, it has the answer. Most VPN services do not provide end-to-end tunnelling. If the exit node is located outside Russia, then what enters the Russian internet will be simple HTTPS traffic.

[–] Decronym@lemmy.decronym.xyz 2 points 10 hours ago* (last edited 4 hours ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

5 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #217 for this comm, first seen 6th Apr 2026, 13:00] [FAQ] [Full list] [Contact] [Source code]

[–] Allero@lemmy.today 1 points 10 hours ago* (last edited 10 hours ago)

Alternatively, you can download Amnezia VPN client app on your phone or PC, and it has this amazing function where you provide the IP and root credentials, and it installs server software automatically.

Obviously, only use it when you don't have other things running on your server.

Advantages:

  • No need to install anything manually, just direct Amnezia VPN client to a blank Linux server or VPS
  • You can install all sorts of protocols in this manner, not only AmneziaWG (which often fails in Russia, for example). Options include OpenVPN (basic and over Shadowsocks/Cloak), classic Wireguard, IPsec, Xray.

Disadvantages:

  • It doesn't show the SSH terminal as it goes installing things on your server and goes fully automatic, reducing user control and troubleshooting capabilities.