How Amnezia works

What is AmneziaVPN?

AmneziaVPN is a free open-source multi-protocol VPN client with the function of setting up your own VPN server, or in other words self-hosted VPN.

How does Amnezia create a VPS-based VPN

When you connect for the first time, the application automatically generates a new key pair for OpenVPN and generates a Certificate Signing Request (CSR). The Certificate Signing Request, including the public key, is then passed to the server for signing and issuing the corresponding X.509 certificate that provides authentication and security for the connection.

How does Amnezia connect to the created VPN?

After the user enters the IP login and password from the VPS, the application connects to the server via SSH and installs Docker and runs the Amnezia server containers. SSH, installs Docker, and runs the Amnezia server containers. For each protocol connection, a separate container is started, keys and root certificate are generated. Once the server is configured, you can connect using VPN to that server.

How does traffic masking work ?

Traffic masking is present in protocols like Shadowsocks, OpenVPN over Cloak, and XRay Reality. AmneziaWG also offers protection against detection but operates on a different principle.

Shadowsocks

Shadowsocks is based on the SOCKS5 proxy protocol, which secures the connection using AEAD encryption — similar to the principles of an SSH tunnel. Shadowsocks connections are difficult to identify because they closely resemble regular HTTPS connections. However, some traffic analysis systems can still recognize Shadowsocks connections, so in regions with high levels of censorship, we recommend using AmneziaWG.

OpenVPN over Cloak

In the OpenVPN over Cloak combination, the Cloak plugin is responsible for traffic masking. It can alter packet metadata in a way that completely disguises VPN traffic as regular web traffic and protects the VPN from detection using Active Probing methods. This makes it highly resistant to detection and blocking. Immediately after receiving the first data packet, Cloak authenticates the incoming connection. If authentication fails, the plugin masks the server as a fake website, making your VPN invisible to traffic analysis systems.

XRay Reality

XRay Reality's operation is based on the same principles as Cloak - masking the VPN as web traffic and applying protection against active probing. Its operation revolves around distinguishing the client from the censor during the TLS handshake. If the client ("friendly") is recognized, the server acts as a proxy; if the censor ("unfriendly") is identified, the TLS connection is redirected to a completely genuine TLS-enabled host that isn't subject to blocking. Thus, a censor attempting active probing to determine what lies on the other end will receive a genuine TLS certificate from the website and real data from the server.

AmneziaWG

AmneziaWG operates within the framework of backward compatibility. The AmneziaWG implementation allows for the modification of certain static parameters in WireGuard, which are typically recognized by DPI systems. If these parameters are left at their default values (set to 0), the protocol functions like regular WireGuard.

In AmneziaWG, the headers of all packets are modified: the handshake packet (Initiator to Responder), the response packet (Responder to Initiator), the data packet, and a special "Under Load" packet — these are randomized values, but they can be changed in the settings. Because each user has different headers, it's virtually impossible to devise a universal rule based on headers alone to detect and block the protocol.

Another weak point of WireGuard is the size of authentication packets. In AmneziaWG, random bytes are appended to each auth packet to alter their size. Thus, the handshake packets additionally contain "garbage" at the beginning of the data, the size of which is determined by the values S1 and S2. By default, the initiating handshake packet has a fixed size (148 bytes), and after adding garbage, its size will be 148 bytes + S1.

The AmneziaWG implementation includes another trick for more reliable masking. Before starting a session, Amnezia sends a certain number of "junk" packets to thoroughly confuse DPI systems. The number of such packets and their minimum and maximum sizes in bytes are also set in the settings, with parameters Jc, Jmin, and Jmax.

In regions with a high level of internet censorship, we recommend using AmneziaWG from the first connection.