I live in a country where ISPs actively block WireGuard through DPI. Regular WireGuard gets fingerprinted and blocked within minutes. AmneziaWG (https://github.com/amnezia-vpn/amneziawg-go) is a WireGuard fork that adds protocol-level obfuscation — randomized packet headers, junk data, QUIC mimicry - making it harder for DPI to detect.

Setting up AmneziaWG manually on a server is painful: build the kernel module via DKMS, generate obfuscation parameters, write configs, set up firewall rules... I kept doing this on fresh VPS installs and finally wrote a script to automate it.

The script does the full server setup - kernel module, obfuscation params, firewall, the works. It runs as a state machine so it survives the two reboots you need for DKMS. After that you manage clients with a separate script that spits out .conf files, QR codes, and vpn:// URIs for the Amnezia app.

Pure Bash, runs on Ubuntu 24.04/25.10 and Debian 12/13. MIT licensed.

This HN thread about Russia blocking WireGuard (https://news.ycombinator.com/item?id=39067213) was one of the things that motivated me.