WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

amnezia-vpn/amneziawg-go

BranchesTags
 
 

Repository files navigation

Go Implementation of AmneziaWG

AmneziaWG is a contemporary version of the WireGuard protocol. It's a fork of WireGuard-Go and offers protection against detection by Deep Packet Inspection (DPI) systems. At the same time, it retains the simplified architecture and high performance of the original.

The precursor, WireGuard, is known for its efficiency but had issues with detection due to its distinctive packet signatures. AmneziaWG addresses this problem by employing advanced obfuscation methods, allowing its traffic to blend seamlessly with regular internet traffic. As a result, AmneziaWG maintains high performance while adding an extra layer of stealth, making it a superb choice for those seeking a fast and discreet VPN connection.

Usage

Simply run:

$ amneziawg-go wg0

This will create an interface and fork into the background. To remove the interface, use the usual ip link del wg0, or if your system does not support removing interfaces directly, you may instead remove the control socket via rm -f /var/run/amneziawg/wg0.sock, which will result in amneziawg-go shutting down.

To run amneziawg-go without forking to the background, pass -f or --foreground:

$ amneziawg-go -f wg0

When an interface is running, you may use amneziawg-tools to configure it, as well as the usual ip(8) and ifconfig(8) commands.

To run with more logging you may set the environment variable LOG_LEVEL=debug.

Platforms

Linux

This will run on Linux; you should run amnezia-wg instead of using default linux kernel module.

macOS

This runs on macOS using the utun driver. It does not yet support sticky sockets, and won't support fwmarks because of Darwin limitations. Since the utun driver cannot have arbitrary interface names, you must either use utun[0-9]+ for an explicit interface name or utun to have the kernel select one for you. If you choose utun as the interface name, and the environment variable WG_TUN_NAME_FILE is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable. This runs on MacOS, you should use it from amneziawg-apple

Windows

This runs on Windows, you should use it from amneziawg-windows, which uses this as a module.

Building

This requires an installation of the latest version of Go.

$ git clone https://github.com/amnezia-vpn/amneziawg-go
$ cd amneziawg-go
$ make

Configuration

Note

If there is no value specified (for any param), AWG treats it as 0

Junk packets

The amount of junk packets specified in Jc with a random size between Jmin and Jmax would be generated and sent prior every handshake

  • Jc: int, recommended range is 4-12
  • Jmin: int <= Jmax:int

Tip

Junk packets do not carry any actual data, so there is no need to specify it on both sides. General recommendation is to use it on the client side only

Important

If Jmax >= system MTU (not the one specified in AWG), then the system can fracture this packet into fragments, which looks suspicious from the censor side

Message paddings

  • S1: int - padding of handshake initial message
  • S2: int - padding of handshake response message
  • S3: int - padding of handshake cookie message
  • S4: int - padding of transport messages

Message headers

Every message in wireguard has int32 type at the beginning of the packet. This field could be controlled by specifying the params below:

  • H1: string - header range of handshake initial message
  • H2: string - header range of handshake initial message
  • H3: string - header range of handshake cookie message
  • H4: string - header range of transport message

Values could be specified as:

  • range: x-y, x <= y; e.g. 123-456
  • single value 1234

Custom signature packets

These packets are being send prior to every handshake, in the same way as Junk packets do. The sending order is I1, I2, I3, I4, I5. If there is no value specified, the packet is skipped.

  • I1: string
  • I2: string
  • I3: string
  • I4: string
  • I5: string

Value is a sequence of tags specified below:

  • <b 0x[seq]> - static bytes tag. Dumps [seq] as-is to the packet. [seq] is hex-encoded sequence which represents bytes sequence (2 hex numbers per byte) and is always even-sized
  • <r [size]> - random bytes tag. Dumps [size] amount of randomly-generated bytes to the packet
  • <rd [size]> - random digits tag. Dumps [size] amount of randomly-generated bytes from [0-9] set to the packet
  • <rc [size]> - random chars tag. Dumps [size] amount of randomly-generated bytes from `[a-zA-Z] set to the packet
  • <t> - timestamp tag. Dumps 4-bytes long current system time in UNIX format
  • <c> - packet counter tag. Dumps 4-bytes long amount of packets sent by AWG

Tip

Custom signature packets does not carry any actual data, so there is no need to specify it on both sides. General recommendation is to use it on the client side only

Important

If the final size of any packet exceeds system MTU, it would be fractured into fragments, which looks suspicious

About

AmneziaWG VPN protocol

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1.2k stars

Watchers

19 watching

Forks

153 forks
Report repository

Releases

61 tags

Packages

No packages published

Languages

  • Go 95.8%
  • Shell 3.9%
  • Other 0.3%