← Back to Blog

    How AmneziaWG Hides a VPN From the Firewall

    WireGuard is fast, small, and easy to spot. AmneziaWG is the self-hosted fork built to survive the deep packet inspection that Russia and China now run at national scale. Here is how it changes the shape of your traffic, whether it is safe, and when a managed VPN is still the better call.

    Privacy AnalysisPublished · 12 min read· By Christopher, Editor of TheVPNMatrix

    Evidence-based review per our 28-criteria methodology · affiliate disclosure

    1. The fingerprint WireGuard cannot hide

    WireGuard won on merit. It is a few thousand lines of code where OpenVPN is a few hundred thousand, it runs inside the Linux kernel, and it is quick enough that most commercial VPNs quietly rebuilt their fast option on top of it. The same minimalism that makes it fast, though, is what makes it easy to see. Every WireGuard session opens with a handshake of a fixed shape, a known message type sitting in the first bytes of the first packet, at a predictable size. A censor does not need to break the encryption to act on that. It only needs to recognise the outline.

    Two states have built exactly the machine to do it. China's Great Firewall has, since 2021, been able to flag even fully encrypted tunnels, the kind deliberately engineered to resemble nothing, by measuring the statistical fingerprint of their opening packets, a system researchers documented in forensic detail at USENIX in 2023.(Wu et al., 2023) Russia was blunter. Since 2023 its deep packet inspection, run through the operator-level boxes known as TSPU, has throttled and dropped OpenVPN and WireGuard connections on sight,(Risky Business, 2024) and by 2024 the practical advice to Russians was already that the standard protocols could no longer be relied on.(The Moscow Times, 2024) WireGuard was designed to be simple, not secret, and against a state that inspects the pipe, simple means legible. That legibility is the entire problem AmneziaWG exists to solve.

    2. What Amnezia actually is

    It helps to keep two things apart. Amnezia is the app. AmneziaWG is the protocol it can speak. The app came out of the Demhack hackathon in 2020, built by internet-freedom activists connected to the Russian digital-rights group Roskomsvoboda, and it is free and open source under the GPL, both the client and the server.(Wikipedia, 2026) That last point is not a slogan. When the code that keeps the logs is public, the promise not to keep them is something a stranger can check rather than something you take on faith.

    Its actual trick is that it does not run a server for you. You rent a cheap virtual machine from a hosting company, hand Amnezia the login details over SSH, and it installs the VPN on that box in a few minutes, at which point you are no longer a customer of a VPN service. You are the VPN service.(Amnezia, 2026) It can speak a whole menu of protocols on that server, OpenVPN, WireGuard, AmneziaWG, IKEv2, Shadowsocks, and the TLS-imitating XRay with Reality, and the reason for the menu is defensive: when a censor learns to block one, you switch to another the same afternoon. This is not a theoretical use case. Amnezia is in daily service in Russia, Iran, Myanmar and elsewhere for reaching the ordinary blocked internet, and it is exactly the shape of tool that a technology-neutral VPN restriction, the kind Britain has just taken the power to write, cannot reach, because there is no app in a shop to pull and no company on which to serve an order.

    3. How AmneziaWG changes the shape of your traffic

    Here is the part worth getting right, because it is usually explained either as magic or not at all. AmneziaWG is a fork of WireGuard, and it leaves the cryptography completely alone. The key exchange is still Curve25519, the encryption is still ChaCha20-Poly1305, the key rotation is unchanged.(Amnezia, 2025) Your traffic is neither more nor less secure than plain WireGuard. What it changes is only the outside of the envelope, the transport layer, the bytes a deep packet inspection box actually reads, and it does so in four ways.

    The first is junk. Before the real handshake begins, the client fires off a handful of packets that carry nothing at all, a count you set (up to ten) at random sizes between two bounds (anywhere from 64 to 1,024 bytes).(Amnezia, 2025) A WireGuard session normally opens in one unmistakable way; padded with noise, it no longer opens that way, and the timing-and-size signature the censor keys on is smeared. The second is the headers. In plain WireGuard the first four bytes of each packet announce its type, handshake or response or cookie or data, in a fixed number that is trivial to match. AmneziaWG replaces those with random values drawn from ranges you configure, so the field a firewall reads first stops meaning anything.(Amnezia, 2025) The third is padding, random prefixes added to the standard packet lengths so the tell-tale fixed sizes vary from one connection to the next. The fourth, and the newest, is mimicry: crafted signature packets that make the opening of the stream resemble something dull and permitted, a QUIC connection or a DNS lookup, rather than a tunnel.

    The clever consequence is that because you choose these values on your own server, there is no single pattern that identifies all AmneziaWG traffic. Every deployment speaks, in effect, its own dialect. That is also the honest limit. None of this is stronger protection for the data inside, which is already WireGuard's and no better. It is camouflage, and camouflage is a contest rather than a wall. The parameters have to be set with some sense and matched at both ends, a censor that gives up on catching WireGuard specifically can still decide to act on "unrecognised UDP that looks like noise," which is why the 2.0 revision moved from merely randomising the traffic to actively impersonating real protocols. You are buying reachability, not invisibility, and the arms race does not end because you joined it.

    4. Whether it is safe, and who you are trusting

    Amnezia has done the rare and expensive thing, which is to pay outsiders to attack it and then publish what they found. There have been three independent penetration tests by the firm 7ASecurity. The first, in 2022, was commissioned through the Open Technology Fund's red-team lab, ran for about a month, and turned up eleven vulnerabilities alongside five lower-priority hardening notes.(Open Technology Fund, 2022)(7ASecurity, 2023) A second, in mid-2024, spent sixteen days and found four critical issues. A third, over eighteen days across the following winter, went wider still and covered the whole ecosystem, the desktop and mobile clients, the custom protocols, and the server side.(7ASecurity, 2025) The vulnerability counts matter less than the fact that the reports exist in full and in public, because a disclosed and patched bug tells you more about a project's honesty than any amount of "military-grade" on a landing page.

    The catch is that an audit certifies the code, not your deployment, and self-hosting quietly moves the thing you are trusting. With a commercial VPN you are trusting one company not to keep logs. Host your own and that trust splits in two. You are now trusting whoever rents you the server, a hosting business sitting in some country, reachable by that country's lawful orders and able to see the traffic leaving your box. You are also trusting yourself, the person who picked the server's location and wrote its firewall rules. The best-audited client ever shipped will still betray you if you point it at a machine in the wrong jurisdiction or fumble a single setting. Safety here is not a property of the app. It is a property of the whole arrangement, most of which is now your responsibility.

    5. Where it falls short

    None of this is a free lunch, and the piece would be worthless if it pretended otherwise. Self-hosted Amnezia is not turnkey. Renting a virtual machine, choosing protocols, and matching obfuscation settings is an afternoon's work for a confident user and a brick wall for everyone else, which happens to include most of the people a censor's rules actually inconvenience. It also gives you exactly one exit. A managed VPN sells you thousands of locations across dozens of countries; your server is a single address in a single place, which is fine for keeping your internet provider out of your browsing and useless for pretending to sit in twelve countries or for reaching a streaming library that has geolocked itself against you.

    There are two subtler costs. A fresh server address is clean until it is not, and a growing number of sites already refuse connections from known datacentre ranges, so the very machine you rented for privacy can find itself treated as a robot. The camouflage also decays. What slips past a deep packet inspection box in July may be caught by December, at which point the job of keeping up, tuning parameters, switching protocols, is yours and no one else's. Above all, obfuscation does nothing for anonymity beyond your own provider. Your host sees your destinations exactly as any host would. AmneziaWG hides that you are running a VPN. It does not hide you.

    6. When to host your own, and when to buy

    So the choice is not really which is better but which problem you have. Host your own when the adversary is a censor and the job is reachability, when you live in or travel to a country that inspects the pipe, when you want a tunnel that no app-store order can remove, or simply when you would rather read the code that carries your traffic than trust a promise about it. Our self-hosting guide walks through the server side, and our Amnezia review covers the app in detail.

    Buy a managed provider when you want many locations, streaming, support, and a setup that takes one tap rather than one afternoon, which for most people most of the time is the honest recommendation. The ones that hold up in our scoring, on jurisdiction and on independent no-logs audits, are Proton VPN, NordVPN and Surfshark. These are affiliate links, and they help fund the research without changing what gets recommended or how it is scored. The two approaches are not rivals. One hides you from a company's curiosity. The other hides your tunnel from a state's inspection, and there is no single product that does both jobs equally well.

    Which returns us to the point the censors keep proving at their own expense. A government can lean on the app stores and the VPN companies all it likes, and several are now trying. It cannot lean on a protocol that has stopped looking like one. AmneziaWG is WireGuard with the labels filed off, run on a machine you rent and answer for yourself, and that is either the whole point or the whole problem, depending on which side of the firewall you happen to be standing.

    7. References

    References

    1. [1]7ASecurity (2023) 'Amnezia VPN Pentest Report (Mobile & Desktop apps)', 7ASecurity. Available at: https://7asecurity.com/blog/2023/01/amnezia-vpn-pentest-report/ (Accessed: 7 July 2026).
    2. [2]7ASecurity (2025) 'Pentest Report: AmneziaVPN (second review)', 7ASecurity. Available at: https://7asecurity.com/reports/pentest-report-amneziavpn2.pdf (Accessed: 7 July 2026).
    3. [3]Amnezia (2025) 'AmneziaWG Documentation', Amnezia. Available at: https://docs.amnezia.org/documentation/amnezia-wg/ (Accessed: 7 July 2026).
    4. [4]Amnezia (2026) 'Self-hosted VPN', Amnezia. Available at: https://amnezia.org/self-hosted (Accessed: 7 July 2026).
    5. [5]Open Technology Fund (2022) 'Amnezia VPN Apps (Mobile & Desktop) Pentest Report', Open Technology Fund. Available at: https://www.opentech.fund/security-safety-audits/amnezia-vpn-apps-mobile-desktop-pentest-report/ (Accessed: 7 July 2026).
    6. [6]Risky Business (2024) 'Russia blocks OpenVPN and WireGuard VPN protocols', Risky Business Media. Available at: https://risky.biz/russia-blocks-openvpn-wireguard-vpn-protocols/ (Accessed: 7 July 2026).
    7. [7]The Moscow Times (2024) 'What Should Russians Do If VPNs Are Banned?', The Moscow Times. Available at: https://www.themoscowtimes.com/2024/06/14/what-should-russians-do-if-vpns-are-banned-a84090 (Accessed: 7 July 2026).
    8. [8]Wikipedia (2026) 'Amnezia VPN', Wikipedia. Available at: https://en.wikipedia.org/wiki/Amnezia_VPN (Accessed: 7 July 2026).
    9. [9]Wu et al. (2023) 'How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic', USENIX Security Symposium. Available at: https://gfw.report/publications/usenixsecurity23/en/ (Accessed: 7 July 2026).

    NordVPN

    Top-rated VPN with excellent features

    Get Deal

    Cookie Preferences

    We use essential storage and anonymous aggregate site metrics. Optional event analytics only run if you opt in.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.