AmneziaWG

A WireGuard fork that survives DPI — with a friendly web UI.

Service #vpn#wireguard#network#privacy#security

AmneziaWG is a fork of WireGuard that adds traffic obfuscation against Deep Packet Inspection (DPI). Wire-compatible with standard WireGuard in mode "off", but capable of disguising packets so they pass through restrictive networks (Russian RKN, Iranian filtering, GFW probes) that block vanilla WireGuard. This template packages AmneziaWG with the friendly wg-easy web UI.

Deploy with Pier

1 Open the Pier dashboard and click Add service.
2 Pick AmneziaWG from the template list.
3 Choose the version, set a service name, and Pier provisions the container, storage, and ports automatically.
4 Attach a domain if you want HTTPS. Traefik auto-provisions the Let's Encrypt certificate.

What is AmneziaWG?

AmneziaWG is an open-source fork of WireGuard that adds an obfuscation layer designed to defeat Deep Packet Inspection (DPI). Vanilla WireGuard has a very recognizable packet shape — fixed-size handshakes, predictable timing — which makes it trivial for DPI firewalls in restrictive networks (Russian Roskomnadzor, Iran’s filtering, China’s GFW probes) to identify and block.

AmneziaWG keeps the WireGuard protocol semantics but randomizes packet size, adds junk traffic, and pads the initial handshake — enough to make the traffic shape no longer match WireGuard’s signature. With obfuscation parameters set to zero it falls back to plain WireGuard for compatibility with the official client.

This template packages AmneziaWG with the wg-easy web management UI (a fork that knows the AmneziaWG parameters), so you can add and remove clients, generate QR codes for mobile, and monitor traffic from a browser — no SSH, no wg-quick, no config-file editing.

How Pier deploys it

Pier uses the w0rng/amnezia-wg-easy image. Two ports — 51820/udp for VPN traffic, 51821/tcp for the web management UI (behind Traefik with TLS when you attach a custom domain in Pier).

On first launch you set the web UI password through env vars (Pier generates a strong one). Log in, set the WG_HOST to your VPS’s public IP or domain, optionally tweak the obfuscation parameters, and start adding clients. Each client gets a downloadable config file and a QR code for the AmneziaVPN mobile app.

The config volume mounts at /etc/wireguard and persists peer state across container restarts.

When NOT to use AmneziaWG

If your users aren’t in DPI-restricted networks, plain WireGuard (wg-easy proper) is simpler and slightly faster. For corporate VPN with identity-based access and granular ACLs, look at Tailscale, Twingate, or NetBird. For purely application-layer proxying (browser only), Shadowsocks or V2Ray is lighter. AmneziaWG is the precise answer to “I want self-hosted full-tunnel VPN that works in Russia / Iran / similar restrictive networks.”

Key features

DPI-resistant out of the box

AmneziaWG adds packet-length and timing obfuscation so traffic does not match WireGuard's distinctive signature. Survives RKN blocks that kill plain WireGuard.

Friendly web UI (wg-easy fork)

Manage clients from a browser — add, remove, regenerate keys, see live transfer stats, share QR codes for mobile clients. No wg-quick file editing.

Standard WireGuard clients work

AmneziaVPN client app is available for iOS/Android/Mac/Windows/Linux. With obfuscation off, the official WireGuard client also connects.

Per-client config QR codes

Scan with the AmneziaVPN app on mobile, instant connection. Same UX as classic wg-easy.

Tiny footprint

Sub-100 MB image, minimal CPU. AmneziaWG kernel performance with userspace obfuscation overhead — still hundreds of Mbps on a $5 VPS.

Survives RKN blocks in Russia

Used by tens of thousands of Russian users to bypass DPI blocks of standard VPN protocols (WireGuard, OpenVPN, IKEv2).

Use cases

Bypassing DPI-based blocks

Networks (countries, ISPs, corporate firewalls) that DPI-block WireGuard signatures. AmneziaWG's obfuscation defeats most of these.

Personal VPN with a friendly UI

Self-host a VPN for your phone and laptop. AmneziaWG + web UI is the easiest "WireGuard for non-CLI users" setup.

Family / small team VPN

Up to a few dozen clients on one VPS. Add users from the UI, QR-share on the spot.

Site-to-site or roaming worker setup

Connect a small office or remote workers to internal services. WireGuard's roaming and NAT traversal still apply.

Travel router upstream

Configure a GL.iNet travel router to route all hotel-Wi-Fi traffic through your AmneziaWG VPS. Plain WireGuard upstream often fails on captive portals; obfuscation helps.

Code examples

Add a client (web UI) text

1. Open https://vpn.example.com:51821
2. Login (web password set on first launch)
3. Click "+ New" → name the client
4. Click "Show QR" → scan with AmneziaVPN on phone
5. Connect on phone — internet now routes through your VPS

Server obfuscation config (Pier env) text

WG_HOST: vpn.example.com
WG_PORT: 51820
WG_JC: 5            # junk packet count
WG_JMIN: 50         # junk packet min size
WG_JMAX: 1000       # junk packet max size
WG_S1: 50           # init packet padding before
WG_S2: 100          # init packet padding after

AmneziaVPN client config (downloaded) ini

[Interface]
Address = 10.8.0.2/24
PrivateKey = <client-private>
Jc = 5
Jmin = 50
Jmax = 1000
S1 = 50
S2 = 100

[Peer]
PublicKey = <server-public>
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25

SSH into the container (advanced) bash

docker exec -it pier-vpn sh
cat /etc/wireguard/wg0.conf   # See active config
wg show wg0                    # Live peer status

How it compares

vs Vanilla WireGuard (wg-easy)	Same UX, but DPI-blockable. If you're not in a restrictive network, vanilla WireGuard is simpler. AmneziaWG matters specifically where vanilla is blocked.
vs OpenVPN	OpenVPN with obfsproxy/Stunnel can also defeat DPI but is slower and has a larger attack surface. AmneziaWG is the modern lightweight alternative.
vs Shadowsocks / V2Ray	Shadowsocks/V2Ray are application-layer proxies (TCP-tunneling); AmneziaWG is a full IP-layer VPN. Different tools — Shadowsocks for browser-only proxy, AmneziaWG for full-tunnel VPN.
vs Outline / Algo / Streisand	Outline (Shadowsocks-based) and Algo/Streisand (WireGuard + IPsec scripts) all aim at simple VPN setup. AmneziaWG specifically adds obfuscation; the others don't.

Frequently asked questions

Will the official WireGuard client work?

With obfuscation parameters set to defaults (Jc/Jmin/Jmax/S1/S2 = 0), yes. With obfuscation enabled (the whole point of this template), you need the AmneziaVPN client, which speaks both standard and obfuscated WireGuard.

Is it actually blockable by DPI?

Russian RKN has not (as of late 2025) succeeded in mass-blocking obfuscated AmneziaWG traffic. Specific high-stakes networks may target you specifically; obfuscation is not invisibility.

Performance overhead?

5-15% throughput cost vs vanilla WireGuard on the same hardware. Hundreds of Mbps still readily achievable on a modest VPS.

What ports?

51820/udp for VPN traffic, 51821/tcp for the web management UI. Pier exposes both — protect the web UI with HTTPS via Traefik.

Multi-user / RBAC?

Single admin password to the web UI. Per-client configs are exported; no client-side authentication beyond the WireGuard keypair.

Killswitch / DNS leak protection?

That's a client-side concern. The AmneziaVPN apps include killswitch options. On laptops, configure your OS firewall to drop non-VPN traffic.

Logs?

Server logs WireGuard handshakes (timestamps, peer pubkeys, source IPs) by default. Disable in env if logs are a concern. No application-layer logs.

Related services

Deploy on your VPS

Deploy this service →