AmneziaWG is a fork of WireGuard that adds obfuscation. Plain WireGuard has fixed packet headers and predictable packet sizes, so deep packet inspection (DPI) can spot and block it. AmneziaWG randomizes those signatures: it can change the message-type headers, pad messages to variable sizes, and send junk packets before the handshake. The crypto and the speed stay the same as WireGuard — only the traffic shape changes.

Do the AmneziaWG parameters have to match on the server and the client?

Most of them, yes. Per the official Amnezia docs, S1, S2 and the four headers H1, H2, H3 and H4 must be identical on both peers — they tell each side where the real data starts. The junk-packet settings Jc, Jmin and Jmax may differ between peers, and are recommended on the client side. If S1/S2 or H1-H4 disagree, the handshake never completes.

Is AmneziaWG slower than WireGuard?

The obfuscation adds a little overhead — junk packets and padding mean a few extra bytes per session and per packet. In practice the impact is small because the underlying protocol is still WireGuard. For everyday browsing on a small VPS the difference is usually not noticeable. If you do not need DPI resistance, plain WireGuard stays the lighter choice.

Can I run AmneziaWG on a normal VPS like Contabo?

Yes. AmneziaWG installs on a standard Linux VPS the same way WireGuard does. On Ubuntu and Debian there is an official PPA (ppa:amnezia/ppa) that ships the kernel module (with DKMS) and the awg / awg-quick tools. A small VPS with full root access — for example a Contabo VPS S — is enough to host the server side.

When should I pick AmneziaWG over plain WireGuard?

Pick it when your network actively blocks or throttles WireGuard: some mobile carriers, corporate firewalls, and national filtering systems detect the WireGuard signature. For an open home or office network, plain WireGuard is simpler and there is no reason to add obfuscation. AmneziaWG is the answer to detection, not a default upgrade.

AmneziaWG: the DPI-resistant WireGuard fork, self-hosted (2026)

Affiliate disclosure — This article contains Contabo affiliate links. If you rent a VPS through one of them, we earn a commission at no extra cost to you. Every command and parameter below is documented from the official AmneziaWG project, not from in-house tests.

WireGuard is fast, modern, and easy to self-host. It has one weakness: it is easy to spot. The protocol uses fixed packet headers and predictable packet sizes, so a network that runs deep packet inspection (DPI) can recognize WireGuard traffic and block it. That is exactly what some mobile carriers, strict corporate firewalls, and national filters do.

AmneziaWG is the answer to that problem. It is a fork of WireGuard that keeps the same cryptography and the same speed, but changes the shape of the traffic so DPI can no longer fingerprint it. This guide explains what AmneziaWG actually does, what each obfuscation setting means, and how to self-host the server side on your own VPS.

Why plain WireGuard gets detected

DPI does not need to break the encryption to block you. It only needs to recognize the pattern. WireGuard makes that easy in three ways:

Fixed message headers. Each WireGuard packet starts with a known type field. A filter can read the first bytes and say "this is a WireGuard handshake."
Predictable packet sizes. The handshake messages have set lengths. A filter can match on those lengths alone.
A clear handshake burst. The connection always opens the same way, so the start of a session stands out.

Put together, these traits give WireGuard a clean signature. Once a network knows that signature, it can drop the packets and your tunnel simply never connects.

What AmneziaWG changes

AmneziaWG is described by its authors as a contemporary version of WireGuard with obfuscation built in. It removes the signature using a few independent tools. You turn them on with extra fields in the [Interface] section of your config.

Close-up of an Ubuntu terminal showing the prompt ubuntu@ubuntu:~$ sudo

Here is what each group of settings does, based on the official Amnezia documentation.

Junk packets — Jc, Jmin, Jmax

Before the real handshake, AmneziaWG can send a short series of random "junk" packets.

Jc is how many junk packets to send. The docs recommend a value of 4 to 12.
Jmin and Jmax set the random size range for those packets, recommended around 8 and 80 bytes.

Junk packets blur the clean handshake burst that DPI looks for. They are recommended on the client side, and they may differ between the two peers.

Message padding — S1, S2

S1 and S2 add random padding to the handshake messages — S1 to the init message and S2 to the response. The recommended range is roughly 15 to 150 bytes. This breaks the "predictable packet size" signal: the messages no longer have a fixed, matchable length.

Header randomization — H1, H2, H3, H4

H1 to H4 replace WireGuard's fixed message-type headers with values drawn from ranges you choose. For each packet sent, a random value is picked from the range; on the other side, any value inside the range is accepted. The four ranges must be different from each other and must not overlap. This is the change that erases the most obvious WireGuard signature.

The rule that trips people up: which params must match

This is where most failed setups go wrong, so it deserves its own section.

Per the official Amnezia documentation: all parameters must be the same between client and server, except Jc, Jmin and Jmax, which may vary.

In plain terms:

S1, S2, H1, H2, H3, H4 → must be identical on both peers. They tell each side where the real, meaningful data begins. If they disagree, the receiver cannot find the real packet and the handshake silently fails.
Jc, Jmin, Jmax → may differ per peer. They are recommended on the client.

So the fix for "AmneziaWG won't connect" is almost always the same: check that the headers and padding match exactly on both ends.

Self-hosting the server on a VPS

AmneziaWG installs on a normal Linux VPS the same way WireGuard does. You need a server with full root access and a public IPv4 address. A small box such as a Contabo VPS S at €4.99/month is enough, and you can reuse the same machine that already runs your WireGuard setup.

Install on Ubuntu or Debian

The Amnezia project ships an official PPA. On Ubuntu:

sudo add-apt-repository ppa:amnezia/ppa
sudo apt update
sudo apt install amneziawg amneziawg-tools

The package provides the kernel module — with DKMS support on capable systems, so it rebuilds after kernel upgrades — and the userspace tools. The command-line tools are awg and awg-quick, which mirror wg and wg-quick. If you already know WireGuard, the workflow is the same.

Write the server config

Create /etc/amnezia/amneziawg/awg0.conf. It looks like a WireGuard config plus the obfuscation fields in [Interface]:

[Interface]
PrivateKey = <server-private-key>
Address = 10.13.13.1/24
ListenPort = 51820

# Obfuscation — these must match on the client too
Jc = 8
Jmin = 8
Jmax = 80
S1 = 86
S2 = 118
H1 = 1234567
H2 = 7654321
H3 = 3141592
H4 = 2718281

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.13.13.2/32

Pick your own random values — the numbers above are placeholders. The only hard rules are: keep S1/S2 and H1-H4 inside the recommended ranges, keep the four H ranges distinct, and copy S1, S2, H1, H2, H3, H4 exactly into the client config.

Bring the tunnel up:

sudo awg-quick up awg0

Check it with sudo awg show, the same way you would run wg show.

The matching client config

The client config repeats the same S and H values. Only the junk settings are free to differ:

[Interface]
PrivateKey = <client-private-key>
Address = 10.13.13.2/24
DNS = 10.13.13.1

# Must match the server
S1 = 86
S2 = 118
H1 = 1234567
H2 = 7654321
H3 = 3141592
H4 = 2718281
# May differ from the server
Jc = 10
Jmin = 8
Jmax = 80

[Peer]
PublicKey = <server-public-key>
Endpoint = your-vps-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

There are official AmneziaWG clients for Windows, Apple platforms, Android, and the userspace amneziawg-go implementation, so the same server works with desktop and mobile.

AmneziaWG vs plain WireGuard — when to use which

AmneziaWG is not a straight upgrade. It is a targeted tool. Use this quick guide:

Open home or office network → plain WireGuard. It is simpler, and there is nothing to hide from.
Carrier, firewall, or country that blocks WireGuard → AmneziaWG. The obfuscation is the whole point.
You want the lightest possible tunnel → plain WireGuard. Obfuscation adds a little overhead.
You already self-host WireGuard and it stopped connecting on a new network → try AmneziaWG on the same VPS before assuming the server is broken.

The honest summary: AmneziaWG solves detection, not speed and not privacy. The encryption is the same WireGuard you already trust. What changes is whether a filter can see it.

Going further

Self-host VPN on Contabo: full WireGuard guide 2026
Cloak HTTPS obfuscation for a self-hosted VPN
Anti-DPI VPN bypass: which stacks still work in 2026
WireGuard vs OpenVPN: a deep dive
WireGuard config generator — build a clean base config in under a minute

Sources and references:

Published 2026-06-23. All parameters, ranges, and install steps are taken from the official AmneziaWG project documentation and repositories linked above. Always confirm the current recommended values in the official docs before deploying, since the project updates them over time.

Reminder: WireGuard, AmneziaWG, and self-hosting your own VPN are legal in the EU, US, Canada, and most democratic countries. VPNSmith publishes this content for educational purposes.

★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed

A VPS you fully control for tunneling & obfuscation → ContaboRoot access · open any port · run your own stack→