Ivan Bondarev

Posted on Apr 16

Self-Hosted DPI-Bypass VPN on Oracle Cloud Always Free ARM

#vpn #selfhosted #oraclecloud #tutorial

If you're reading this from a place where stock WireGuard stopped working mid-2025, you already know the problem: ISPs fingerprint the WireGuard handshake and kill the tunnel in minutes. Iran, Russia, Turkmenistan, and a handful of other countries now DPI-filter WireGuard at carrier level.

AmneziaWG is a fork that randomizes the parts of the protocol DPI uses to identify it — junk packets, randomized header hashes, CPS packets that mimic QUIC or DNS. Same crypto as WireGuard underneath, roughly 5-10% CPU overhead from the obfuscation work.

I wrote amneziawg-installer to handle the server side in one bash command. v5.9.0 added prebuilt ARM kernel modules, so it now runs cleanly on Oracle Cloud's Ampere A1 — which Oracle gives away on the Always Free tier (up to 4 OCPU / 24 GB RAM at no cost). The combo is the cheapest self-hosted DPI-bypass VPN you can stand up: $0/month, about 10 minutes of work.

Here's the setup, end to end.

Prerequisites

Oracle Cloud account with Always Free tier enabled. Card is required for ID verification; you're not charged as long as you stay within free limits.
An SSH key pair. ssh-keygen -t ed25519 on your laptop if you don't have one.
The AmneziaWG client on your phone or desktop: iOS, Android, or the full Amnezia VPN client with vpn:// URI import on Windows/macOS/Linux.

Create the Ampere A1 instance

In the OCI console, go to Compute → Instances → Create instance.

Name: awg-vpn (or whatever you want).
Image: Canonical Ubuntu 24.04. The installer also supports 25.10, Debian 12 and 13, but 24.04 LTS is the least surprising.
Shape: VM.Standard.A1.Flex (Ampere ARM). Start with 2 OCPUs and 12 GB RAM. The free limit is 4/24, but Oracle has been aggressively reclaiming oversized idle instances since 2024. A 2/12 box has been stable for me for months.
Networking: create a new VCN if you don't have one, and assign a public IPv4.
SSH keys: paste the content of your ~/.ssh/id_ed25519.pub.

Click Create. The instance comes up in about a minute. Copy the public IP from the instance details page — that's your VPN endpoint.

Open UDP/51820

OCI's default security list blocks everything inbound except TCP/22. You need to let AmneziaWG traffic in.

Go to Networking → Virtual Cloud Networks → your VCN → Security Lists → Default Security List → Add Ingress Rule:

Source CIDR: 0.0.0.0/0
IP Protocol: UDP
Destination Port Range: 51820

Save. If you want a different VPN port, pass --port=<N> to the installer and match it here. That's the only network change you need.

SSH in and run the installer

ssh ubuntu@<your-public-ip>
sudo -i
wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/v5.9.0/install_amneziawg_en.sh
chmod +x install_amneziawg_en.sh
./install_amneziawg_en.sh --yes

What happens:

OS check, base packages, kernel sysctl tweaks. The box reboots.
SSH back in and re-run the same script. On ARM it downloads a prebuilt .deb of the kernel module matching your running kernel. If your kernel is newer than the latest prebuilt, it falls back to DKMS automatically (slower, still works).
Second reboot. SSH back. One more re-run. Done.

Total time: ~5-10 minutes on a 2-OCPU Ampere instance.

At the end you get a summary with the endpoint, port, and the path to the first client config.

Generate a client config

/root/awg/manage_amneziawg.sh add phone

This produces three things:

/root/awg/clients/phone/phone.conf — the plain .conf file
A QR code printed to the terminal for scanning with the AmneziaWG mobile app
/root/awg/phone.vpnuri — a vpn:// URI for one-click import into the desktop Amnezia VPN client

Scan the QR with the AmneziaWG app on your phone and connect. curl ifconfig.me from the phone should return your Oracle IP.

What if the default still gets blocked

On a few mobile carriers — Yota, Tele2, Megafon in Moscow, and a handful of regional ISPs — the default Jc (junk packet count) is too aggressive and the handshake fails. The fix is to edit /etc/amnezia/amneziawg/awg0.conf on the server, drop Jc to 3 or 2, restart the service, and regenerate the client:

sudo systemctl restart awg-quick@awg0
/root/awg/manage_amneziawg.sh regen phone

Push the new config to the phone. Operator-by-operator tuning notes (which values worked where) are in ADVANCED.en.md.

Gotchas

Oracle reclaim policy. If your Ampere instance idles near 0% CPU for long stretches, OCI may flag it as unused and reclaim it. Running an active VPN is usually enough activity. If you're not using it much, a cron job like stress-ng --cpu 1 --timeout 60 a couple of times a week keeps the instance visible.
Kernel updates. When Ubuntu ships a new kernel, the AmneziaWG module rebuilds via DKMS on the next reboot — no manual steps, but if you had a prebuilt .deb match before, you may fall back to DKMS until the installer ships a newer matching module.
Don't use the stock WireGuard client. It silently ignores Jc, S1-S4, H1-H4, and I1-I5 — you'll connect, but in plain-WG mode, which is the thing DPI blocks.
IPv6. The installer disables host IPv6 by default on a VPN box. Pass --allow-ipv6 to keep it on.
Detection vs. blocking. AmneziaWG defeats rule-based DPI in real time. Sustained statistical analysis can probably still fingerprint obfuscated traffic given enough samples — that's a per-target surveillance cost model, not an ISP-level blocking model. For getting around the ISP blocking that's actually happening in Russia and Iran right now, per-install randomization is what matters.

Cost check

Oracle Always Free ARM: $0 for up to 4 OCPU / 24 GB RAM (or 2/12 as I recommend above)
AmneziaWG server: MIT, FOSS
amneziawg-installer: MIT, FOSS
Egress: 10 TB/month free on OCI

Total: $0. The only path to a paid setup is exceeding 10 TB egress per month, which is hard to do as a personal VPN.

DEV Community