DEV Community: Ivan Bondarev

Self-Hosted DPI-Bypass VPN on Oracle Cloud Always Free ARM

Ivan Bondarev — Thu, 16 Apr 2026 16:48:49 +0000

If you're reading this from a place where stock WireGuard stopped working mid-2025, you already know the problem: ISPs fingerprint the WireGuard handshake and kill the tunnel in minutes. Iran, Russia, Turkmenistan, and a handful of other countries now DPI-filter WireGuard at carrier level.

AmneziaWG is a fork that randomizes the parts of the protocol DPI uses to identify it — junk packets, randomized header hashes, CPS packets that mimic QUIC or DNS. Same crypto as WireGuard underneath, roughly 5-10% CPU overhead from the obfuscation work.

I wrote amneziawg-installer to handle the server side in one bash command. v5.9.0 added prebuilt ARM kernel modules, so it now runs cleanly on Oracle Cloud's Ampere A1 — which Oracle gives away on the Always Free tier (up to 4 OCPU / 24 GB RAM at no cost). The combo is the cheapest self-hosted DPI-bypass VPN you can stand up: $0/month, about 10 minutes of work.

Here's the setup, end to end.

Prerequisites

Oracle Cloud account with Always Free tier enabled. Card is required for ID verification; you're not charged as long as you stay within free limits.
An SSH key pair. ssh-keygen -t ed25519 on your laptop if you don't have one.
The AmneziaWG client on your phone or desktop: iOS, Android, or the full Amnezia VPN client with vpn:// URI import on Windows/macOS/Linux.

Create the Ampere A1 instance

In the OCI console, go to Compute → Instances → Create instance.

Name: awg-vpn (or whatever you want).
Image: Canonical Ubuntu 24.04. The installer also supports 25.10, Debian 12 and 13, but 24.04 LTS is the least surprising.
Shape: VM.Standard.A1.Flex (Ampere ARM). Start with 2 OCPUs and 12 GB RAM. The free limit is 4/24, but Oracle has been aggressively reclaiming oversized idle instances since 2024. A 2/12 box has been stable for me for months.
Networking: create a new VCN if you don't have one, and assign a public IPv4.
SSH keys: paste the content of your ~/.ssh/id_ed25519.pub.

Click Create. The instance comes up in about a minute. Copy the public IP from the instance details page — that's your VPN endpoint.

Open UDP/51820

OCI's default security list blocks everything inbound except TCP/22. You need to let AmneziaWG traffic in.

Go to Networking → Virtual Cloud Networks → your VCN → Security Lists → Default Security List → Add Ingress Rule:

Source CIDR: 0.0.0.0/0
IP Protocol: UDP
Destination Port Range: 51820

Save. If you want a different VPN port, pass --port=<N> to the installer and match it here. That's the only network change you need.

SSH in and run the installer

ssh ubuntu@<your-public-ip>
sudo -i
wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/v5.9.0/install_amneziawg_en.sh
chmod +x install_amneziawg_en.sh
./install_amneziawg_en.sh --yes

What happens:

OS check, base packages, kernel sysctl tweaks. The box reboots.
SSH back in and re-run the same script. On ARM it downloads a prebuilt .deb of the kernel module matching your running kernel. If your kernel is newer than the latest prebuilt, it falls back to DKMS automatically (slower, still works).
Second reboot. SSH back. One more re-run. Done.

Total time: ~5-10 minutes on a 2-OCPU Ampere instance.

At the end you get a summary with the endpoint, port, and the path to the first client config.

Generate a client config

/root/awg/manage_amneziawg.sh add phone

This produces three things:

/root/awg/clients/phone/phone.conf — the plain .conf file
A QR code printed to the terminal for scanning with the AmneziaWG mobile app
/root/awg/phone.vpnuri — a vpn:// URI for one-click import into the desktop Amnezia VPN client

Scan the QR with the AmneziaWG app on your phone and connect. curl ifconfig.me from the phone should return your Oracle IP.

What if the default still gets blocked

On a few mobile carriers — Yota, Tele2, Megafon in Moscow, and a handful of regional ISPs — the default Jc (junk packet count) is too aggressive and the handshake fails. The fix is to edit /etc/amnezia/amneziawg/awg0.conf on the server, drop Jc to 3 or 2, restart the service, and regenerate the client:

sudo systemctl restart awg-quick@awg0
/root/awg/manage_amneziawg.sh regen phone

Push the new config to the phone. Operator-by-operator tuning notes (which values worked where) are in ADVANCED.en.md.

Gotchas

Oracle reclaim policy. If your Ampere instance idles near 0% CPU for long stretches, OCI may flag it as unused and reclaim it. Running an active VPN is usually enough activity. If you're not using it much, a cron job like stress-ng --cpu 1 --timeout 60 a couple of times a week keeps the instance visible.
Kernel updates. When Ubuntu ships a new kernel, the AmneziaWG module rebuilds via DKMS on the next reboot — no manual steps, but if you had a prebuilt .deb match before, you may fall back to DKMS until the installer ships a newer matching module.
Don't use the stock WireGuard client. It silently ignores Jc, S1-S4, H1-H4, and I1-I5 — you'll connect, but in plain-WG mode, which is the thing DPI blocks.
IPv6. The installer disables host IPv6 by default on a VPN box. Pass --allow-ipv6 to keep it on.
Detection vs. blocking. AmneziaWG defeats rule-based DPI in real time. Sustained statistical analysis can probably still fingerprint obfuscated traffic given enough samples — that's a per-target surveillance cost model, not an ISP-level blocking model. For getting around the ISP blocking that's actually happening in Russia and Iran right now, per-install randomization is what matters.

Cost check

Oracle Always Free ARM: $0 for up to 4 OCPU / 24 GB RAM (or 2/12 as I recommend above)
AmneziaWG server: MIT, FOSS
amneziawg-installer: MIT, FOSS
Egress: 10 TB/month free on OCI

Total: $0. The only path to a paid setup is exceeding 10 TB egress per month, which is hard to do as a personal VPN.

AmneziaWG 2.0 in 5 Minutes: DPI-Resistant VPN That WireGuard Can't Match

Ivan Bondarev — Mon, 06 Apr 2026 16:56:11 +0000

WireGuard is blocked or throttled in Russia, China, Iran, UAE, Turkmenistan, and a bunch of other countries. If yours stopped working — you can replace it with AmneziaWG 2.0 in about 5 minutes. Same WireGuard speed, same crypto, but the traffic looks like random noise to DPI.

No Linux skills needed. Three commands and you're done.

What You Need

A clean VPS — any $3-5/month server works (1 GB RAM is plenty)
Ubuntu 24.04 / 25.10 or Debian 12 / 13 on that server
SSH access — your provider gives you an IP, login, and password

Don't have a VPS yet? Grab one from Hetzner, DigitalOcean, Vultr, or wherever — just make sure the datacenter is outside your country. Cheapest tier is fine.

Step 1 — Install (3 commands)

SSH into your server and run:

wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/main/install_amneziawg_en.sh
chmod +x install_amneziawg_en.sh
sudo bash ./install_amneziawg_en.sh

The installer asks a few questions (port, subnet, number of clients) — defaults work for most setups. Hit Enter through them or use --yes for fully automatic mode:

sudo bash ./install_amneziawg_en.sh --yes

It reboots twice (kernel updates). Just re-run the same script after each reboot — it picks up where it left off. Whole thing takes about 5 minutes.

Step 2 — Connect Your Devices

After installation, you'll find client config files in /root/awg/:

.conf files — import into any AmneziaWG client
.png files — QR codes, scan from your phone
.vpnuri files — one-tap import for Amnezia VPN app

Which client to use:

Platform	Client	Link
All platforms	Amnezia VPN (recommended)	Download
Windows	AmneziaWG	Download
Android	AmneziaWG	Google Play
iOS	AmneziaWG	App Store
Android (FOSS)	WG Tunnel	F-Droid / GitHub

Quickest way: Install Amnezia VPN on your phone, scan the QR code. Done.

Step 3 — Verify

Open a browser and go to ifconfig.me. If you see your server's IP instead of your home IP — you're on the VPN.

On the server:

sudo awg show awg0

Look for latest handshake under your peer — if it shows a recent timestamp, you're good.

Managing Clients

Need to add a phone, laptop, or share access with someone?

# Add a new client
sudo bash /root/awg/manage_amneziawg.sh add my_laptop

# Give someone temporary access (auto-expires)
sudo bash /root/awg/manage_amneziawg.sh add guest --expires=7d

# See who's connected and how much traffic they used
sudo bash /root/awg/manage_amneziawg.sh stats

# Remove a client
sudo bash /root/awg/manage_amneziawg.sh remove guest

# List all clients
sudo bash /root/awg/manage_amneziawg.sh list

Each add generates a new .conf + QR code + vpn:// URI.

What's Running Under the Hood

The installer sets up AmneziaWG 2.0 — a WireGuard fork that randomizes packet headers, adds padding, and sends decoy packets before the handshake. DPI can't fingerprint it because every server speaks its own "dialect" of the protocol.

It runs as a kernel module (not the slower userspace Go implementation), so you get near-WireGuard speeds. The crypto is identical — Curve25519, ChaCha20-Poly1305, same as stock WireGuard.

The installer also hardens the server — UFW firewall with deny-all policy, Fail2Ban, and some kernel/network tuning.

I wrote a detailed breakdown of how the obfuscation works here.

AmneziaWG 2.0: Self-Host an Obfuscated WireGuard VPN That Bypasses DPI

Ivan Bondarev — Wed, 11 Mar 2026 14:10:22 +0000

The Problem: WireGuard Is Easy to Block

WireGuard is a great VPN protocol — fast, lean, well-audited crypto. But it has one glaring weakness: predictability.

Every WireGuard packet starts with a 4-byte header containing a message type: 1 for handshake initiation, 2 for response, 3 for cookie, 4 for data. The handshake init is always exactly 148 bytes. These are strong, static signatures that DPI systems fingerprint without breaking a sweat.

And they do. WireGuard is actively blocked in 10+ countries right now. In Russia, standard WireGuard has roughly a 12% success rate. Iran sees 98% packet loss. China's Great Firewall picks it up within seconds. Egypt, Turkmenistan, Myanmar, Pakistan, UAE, Turkey, Belarus, Uzbekistan, Kazakhstan — all confirmed blocking or throttling at the DPI level.

I'm based in Russia, and I watched this unfold firsthand. Through most of 2024, my WireGuard tunnels worked fine. Then they started dropping — not all at once, but ISP by ISP, week by week. Russia's TSPU (Technical Means of Countering Threats — essentially DPI boxes installed at every major provider) learned to identify WireGuard traffic and silently kill it. Handshakes just stopped completing. No error, no timeout message — the packets simply vanished.

That's what pushed me to build an open-source installer for AmneziaWG 2.0, a WireGuard fork with protocol-level obfuscation. Here's how the protocol works under the hood, and how to get it running on your own server.

How DPI Catches WireGuard

Standard WireGuard uses fixed 32-bit message types for its four packet types. A DPI system needs a trivially simple heuristic:

UDP packet + known header value (1-4) + predictable packet size = WireGuard

Handshake init is always 148 bytes. Response is always 92 bytes. These invariant sizes are a dead giveaway. Once the DPI box flags a WireGuard session, it can block the IP, throttle the connection, or silently drop every packet.

What AmneziaWG 2.0 Does About It

AmneziaWG is a WireGuard fork by the Amnezia VPN team. It changes the transport layer to resist DPI while leaving the cryptographic core (Curve25519, ChaCha20-Poly1305, Noise IK) untouched.

The first version (AWG 1.x) replaced standard headers with custom fixed values. Helped for a while, but a patient DPI system could learn the new static values just as well.

AWG 2.0 (late 2025) took a different path: randomize everything, every time.

How the Obfuscation Actually Works

Dynamic Headers (H1-H4)

Instead of fixed header values, AWG 2.0 uses ranges. Every time a packet goes out, a random value is picked from within the configured range:

H1 = 100000-800000         # Handshake init
H2 = 1000000-8000000       # Handshake response
H3 = 10000000-80000000     # Cookie
H4 = 100000000-800000000   # Data transport

Ranges must not overlap — the protocol still needs to tell packet types apart. But the result is that every packet looks different on the wire. There's no single header value for DPI to latch onto.

Random Padding (S1-S4)

AWG pads packets with random bytes to break the fixed-size signatures:

Parameter	Packet Type	What happens
S1	Handshake init	Init becomes 148 + S1 bytes (bye-bye fixed 148)
S2	Handshake response	Response becomes 92 + S2 bytes
S3	Cookie (new in 2.0)	Pads cookie packets
S4	Data transport (new in 2.0)	Pads every data packet

S3 and S4 are the big additions in 2.0. S4 matters most — it touches every single data packet, which makes traffic analysis across the whole session much harder.

One gotcha: S1 + 56 must not equal S2. Why? Because 148 - 92 = 56, so if the padding values differ by exactly 56, the padded init and padded response end up the same size. That's a pattern you don't want.

CPS — Custom Protocol Signature (I1-I5)

Before the real WireGuard handshake, the client sends decoy packets that mimic another protocol's signature.

Parameters I1 through I5 define the content of up to 5 decoy packets using a tag format:

Tag	What it does
`<b 0xHEX>`	Insert specific bytes (hex-encoded)
`<r N>`	N cryptographically random bytes
`<rc N>`	N random alphanumeric chars [A-Za-z0-9]
`<rd N>`	N random decimal digits [0-9]
`<t>`	Current UNIX timestamp (4 bytes)
`<c>`	Packet counter (4 bytes)

Simple version: <r 128> — blast 128 random bytes. DPI sees a random UDP packet from who-knows-what.

Sneakier version: <b 0xc000000001><r 64><t> — starts with bytes that look like a QUIC Initial packet header, then random data, then a timestamp. A DPI box might classify this as the start of a normal QUIC session.

The server ignores CPS packets entirely — it just waits for the real handshake init that comes after.

Junk Packets (Jc, Jmin, Jmax)

Before each handshake, the client fires off Jc junk packets with random sizes between Jmin and Jmax bytes. Pure noise that makes the connection setup profile less recognizable.

What This All Adds Up To

Each AmneziaWG 2.0 server ends up with its own unique parameter set. There's no universal DPI signature that catches all AWG 2.0 traffic — every server is, in effect, speaking its own dialect.

Here's the 1.x-to-2.0 changelog:

Parameter	AWG 1.x	AWG 2.0
H1-H4	Fixed values	Ranges (random per packet)
S1-S2	Padding for init/response	Unchanged
S3	—	New: cookie padding
S4	—	New: data packet padding
I1-I5 (CPS)	Late addition	Fully supported
Jc/Jmin/Jmax	Junk packets	Unchanged
Crypto	WireGuard (untouched)	WireGuard (untouched)

What About Speed?

People always ask this, so let's get it out of the way.

You might have seen a "65% overhead" number floating around online. The AmneziaWG developers tracked that down to the userspace Go implementation (amneziawg-go), not the protocol itself. The kernel module (what my installer uses via DKMS) runs at near-WireGuard speeds.

Metric	WireGuard	AmneziaWG 2.0	OpenVPN
Crypto overhead	~4%	~4% (same crypto)	~15-20%
Obfuscation overhead	—	+3-7% (padding/junk)	+10% (obfs4)
Total overhead	~4%	<12%	~25-28%
Battery drain (4h streaming)	18%	19% (+1%)	~25%

Real-world benchmark on an uncensored network: WireGuard 95 Mbps, AmneziaWG 92 Mbps. That's a 3% difference — you won't notice it.

And in a censored network? The comparison is "92 Mbps vs 0 Mbps." If WireGuard is blocked, raw speed numbers don't mean much.

How It Stacks Up Against Alternatives

	WireGuard	AmneziaWG 2.0	OpenVPN+obfs4	Shadowsocks	VLESS+Reality
DPI resistance	None	High	Medium	Low (detectable)	Very High
Speed	Fastest	Near-WG (<12% OH)	Slow (~25% OH)	Medium	Medium-Fast
Full VPN tunnel	Yes	Yes	Yes	No (proxy)	No (proxy)
Runs in kernel	Yes	Yes (DKMS)	No	No	No
Setup complexity	Simple	Simple (installer)	Complex	Simple (Outline)	Complex
Transport	UDP	UDP (obfuscated)	TCP/UDP + TLS	TCP	TCP
Audited crypto	Yes	Inherits WG audit	Yes	Partial	No

No DPI in your country? Plain WireGuard is simpler, just use that. Need the absolute maximum DPI resistance and OK with a proxy? VLESS+Reality is worth a look, but it's a proxy, not a VPN tunnel. AmneziaWG 2.0 fills the gap between them: WireGuard-grade performance with real obfuscation in a full tunnel.

One-Command Setup

Setting up AmneziaWG 2.0 by hand means building a kernel module, generating 10+ obfuscation parameters with the right constraints, writing server and client configs, configuring firewall rules. Lots of moving parts, lots of places to get something wrong.

I automated all of it in amneziawg-installer. It builds the kernel module via DKMS (not the slower Go userspace implementation), so you get the speed numbers from the table above.

What You Need

A clean Ubuntu 24.04 / 25.10 or Debian 12 / 13 server
Root SSH access
~1 GB RAM (any $2-4/month VPS is enough)

Install

wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/main/install_amneziawg_en.sh
chmod +x install_amneziawg_en.sh
sudo bash ./install_amneziawg_en.sh

The script walks through 8 steps:

System hardening — strips bloat (snapd, modemmanager), tunes kernel params (BBR, network buffers), sets up swap
DKMS build — installs the AmneziaWG kernel module from Amnezia PPA
Firewall — UFW with deny-all default, SSH rate-limiting, VPN port only
Config generation — all AWG 2.0 parameters auto-generated with proper constraints, server + client configs + QR codes
Service start — Fail2Ban, awg-quick@awg0 enabled and running

Two reboots happen along the way (kernel updates + module loading). The script saves its state, so you just re-run it after each reboot and it picks up where it left off.

Non-Interactive Mode

For scripted or automated deployments:

sudo bash ./install_amneziawg_en.sh --port=51820 --disallow-ipv6 --route-amnezia --yes

Managing Clients

After installation, use the management script:

# Add a client (generates .conf + QR code + vpn:// URI)
sudo bash /root/awg/manage_amneziawg.sh add my_phone

# List all clients
sudo bash /root/awg/manage_amneziawg.sh list

# Remove a client
sudo bash /root/awg/manage_amneziawg.sh remove my_phone

# Check server status
sudo bash /root/awg/manage_amneziawg.sh check

# Temporary client — auto-removed after 7 days
sudo bash /root/awg/manage_amneziawg.sh add guest --expires=7d

# Traffic stats per client
sudo bash /root/awg/manage_amneziawg.sh stats

# Backup all configs
sudo bash /root/awg/manage_amneziawg.sh backup

Connect using any client with AWG 2.0 support:

Amnezia VPN — full-featured, all platforms (>= 4.8.12.7)
AmneziaWG — lightweight tunnel manager, Windows (>= 2.0.0)
VeilBox — open-source, Windows/macOS

Checking That It Works

On the server:

sudo awg show awg0

Look for latest handshake under your peer. If it's there, the AWG 2.0 handshake went through.

From the client side:

curl ifconfig.me

If you see your server's IP instead of your home IP — you're connected through the VPN.

Final Thoughts

I've been running this on my own servers for several months now. From Russia, through ISPs with active TSPU filtering, AWG 2.0 connections hold where stock WireGuard has been dead since mid-2025. The crypto hasn't changed, so every WireGuard audit still applies. The overhead? Under 12% on paper, closer to 3% in my testing. And since the installer uses the kernel module, you skip the userspace performance hit entirely.

If you're in a country where WireGuard stopped working, give it a shot. And if you run into issues or have suggestions, I'd genuinely like to hear about it.

Links:

amneziawg-installer on GitHub — star it if it's useful to you
AmneziaWG 2.0 Documentation
Amnezia VPN Client
Junker — AmneziaWG Signature Generator (for manual setup)

Router firmware with AWG support:

AWG Manager — Keenetic routers
AmneziaWG for Merlin — ASUS routers with GeoIP/GeoSite routing

Questions, bugs, feature requests? Open an issue on GitHub or leave a comment here.