[Feature request] Replace Wireguard with AmneziaWG

Hi there!

I am big fan of Mudi router. But it has a weak hardware not capable enough to run modern censorship bypass software like Xray.
Same time lots of users live in very restrictive parts of our World where Internet is highly censored. And Wireguard is very limited in such case, because it has clear patterns and simple to block using DPI.
So I would suggest the development team to build AmneziaWG instead of original Wireguard into firmware, which is back compatible with Wireguard as far as I know, but allows to bypass lots of modern censorship techniques.

Thanks!

And over here:

releases for 22.03, 23.05 etc, especially for ath79 nand.
So can you confirm the underlying Openwrt base version on your Mudi?

A protocol that is more difficult to be detected on DPI is very interesting.
This is interesting @alzhao

We will have a check. Thanks!

Base version of firmware of my GL-E750v2 is OpenWrt 22.03.4. And yes, I know that I can install AmneziaWG as additional software via packages. And can even build it from source if I want. It is just not user-friendly solution.

But AmneziaWG works as drop-and-replacement for already bundled Wireguard. As I wrote already it is back-compatible with original Wireguard implementation [1].
If you use just Wireguard config it works as expected, but same time you can tune additional parameters which helps you bypass DPI.

Honestly, I am impressed how well Mudi works as a Wireguard VPN client, because it has very limited hardware. And that replacement is probably the best choice I can imagine.

1. AmneziaWG | Amnezia Docs

AmneziaWG operates with backward compatibility. This means that the AmneziaWG implementation allows for modifications to certain static parameters in WireGuard, which are typically recognized by DPI systems. If these parameters are left at their default values (equal to 0), the protocol functions like standard WireGuard.

In AmneziaWG, headers of all packets have been modified:

Initiator to Responder.
Responder to Initiator.
Data packet.
Special "Under Load" packet – by default, random values are set, but these can be manually adjusted in the settings.

Thank you for confirming it works on your Mudi, hopefully GL.iNet can add it to their repository etc.

We checked the patch and doubt that it can bypass DPI. Maybe there is closed source code.

In my understanding AmneziaWG has similar properties to Shadowsocks-2022. With a simple change it becomes a protocol with no clear pattern. If censors want to block it then they need to block all unrecognized UDP traffic at all. It might be very harmful and prevent from doing that. Better option would be to imitate a different protocol (like Xray XTLS does), but with a limited performance of MIPS processors it won't be a practical solution.

And AmneziaWG is already used in Iran and Russia to bypass censorship. There are vendors and providers who use it in their products like RedshieldVPN, KeeneticOS.

Anyway thank you for looking into that.

But does it works?
For example: most of those VPN announced that "works in China" doesn't work at all!

It sound nice, but how many providers are there supporting amnezia protocol ?, i guess the backwards compatibility means just normal wireguard right (without the added garbage to circumvent dpi)?

that might be one of the problems im skeptic at, one can simply blocklist a small amount of ip or amnezia vpn services, with shadowsocks sure but shadowsocks gained more popularity i would think.

When i google, ironically i only find one vpn service from amnezia itself, if its not much that can also be a weakness

^ also what ive learned many dont tunnel behind a great firewall, but rather choose something like shadowsocks and split tunnel certain ip or domains, it makes sense because it is a very detectable heuristic if you keep connecting to the same ip like vpns are used to do.

It sound nice, but how many providers are there supporting amnezia protocol ?

For public providers like ProtonVPN/Mullvad/etc it's possible to just block IP addresses of servers. That is what Russia already does. It does not matter which protocol you use to circumvent censorship if there is block by IP address.
A few of "vpn" providers have private lists which are available upon request via support. Therefore, If it's same plain Wireguard then It is still very vulnerable to DPI analysis and easy to block at state level.

Amnezia provides a simple way to install all censorship bypass toolkit on your own server just by entering ssh connection settings in their app. And you get fully configured server with OpenVPN, Shadowsocks, Cloak and AmneziaWG. I think it's always a viable option to use it with your own server.

shadowsocks gained more popularity i would think

You have to keep in mind that I started this topic specifically about such weak hardware that used in Mudi router. It's not capable enough to run modern tools to bypass censorship which imitate other protocols and services (like Cloak or Xray do).
Same time proxy wrappers like Shadowsocks won't replace VPN, it's just a proxy. For example, you can not proxify ICMP traffic. So if you want tunnel all traffic you still need a VPN protocol. Wireguard is integrated into firmware already, so patched Wireguard with backward compatibility does not change much for users that don't need DPI bypass, without performance degradation and with similiar properties to Shadowsocks in terms of censorship bypass.

As I mentioned before, it's possible to block AmneziaWG, but censors need to block all unrecognized UDP traffic at all.

But does it works?
For example: most of those VPN announced that "works in China" doesn't work at all!

Well, I can suggest you to ask other users of AmneziaWG in telegram group Telegram: Contact @amnezia_vpn_en

Btw, I am not affiliated somehow with Amnezia. I just own Mudi router and would like to have an option to bypass censorship or hide usage of VPN (sometimes it's illegal at all). So I would probably write a simple script to replace stock wg binaries with AmneziaWG to get same UI to just configure additional parameters to circumvent DPI.

Thanks everyone, but I think this is my last message on this forum. The team made clear statement that there will be no AmneziaWG in the firmware.

How many people will do this? How many people would pay for server which much more expensive than regular VPN?

It is easier to implement Moats feature in Tor (like snowflake, OBFS4, web tunnel) which already supported by Tor for free. (@yuxin.zou and @alzhao, I read such requests many times, can you please consider adding GUI for it?)

Also, even if person will want to pay for server, how? In countries where connection censored, it is like always sanctions present. So checkout in Iran for example is extremely difficult, and even if completed, law enforcement can trace it down due to bank records.

Ok, cryptocurrency. How to get it? How many people will ever try to use it? I think only 1% will be willing to pay and only 1% from 1% will care about cryptocurrency.

If you need something so specific that hard to use for regular people, you can flash vanilla OpenWRT and install whatever you want. But for others, it’s better to implement public bypass services like moats in Tor or Psiphon.

Hi! Have you been able to change build in WG to AmneziaWG in the stock firmware? That feature would be just awesome to have in native standard UI.

Signed up to keep this issue tracked.
And to confirm a big need in this feature. It would also be a significant advantage of GL.iNet over a lot of other brands. AFAIK only Keenetic has it implemented out-of-box.
Thank you for having a look at our prayers )

Would like to request this feature as well, AmneziaWG is the only VPN I can get to work in Russia right now, pure Wireguard suddenly started being blocked by my provider yesterday, but Amnezia works fine on mobile and desktop, would like to get it installed on my MT3000 as well

I also have a need to expand the functionality of the device.

I allso fully support this feature request. GL.iNet routers, especially MT6000 Flint2 and Beryl MT3000 become popular now in Russia because of their powerful hardware and simple and clear GL.iNet UI and out-of-box root access to Openwrt to fight against government restrictions for internet freedom. However only advanced users can compile more complex VPN and stealth proxies clients like AmneziaWG or V2ray/Vless/Shadowsocks by themselves. Last weeks internet users in Russia have faced with government blocking OpenVPN and Wireguard protocols as they both have easy recognizeable by DPI-filters handshakes. What about AmneziaWG it seems to be the easiest solution for now to replace standard WG-client binary but some people report in Russia that it has also problems with DPI and requires deep tuning. So we really need here some alternative VPN-protocol client in stock firmware.

Does this mean that we shouldn't expect amneziawg to be implemented into the firmware in the foreseeable future? In Russia, wg and ovpn protocols no longer work recently.

I also highly recommend GL-inet to add AmneziaWG, there will be a huge demand. Especially that now more and more VPN providers are proposing AmneziaWG configs. Users don't need to run their own VPS, they will just use their VPN provider that provides openvpn, wireguard, amenziaWG and sometimes proxies. Thanks to listen to your customers.

Dear developers, please add the ability to use Amnezia to the stock firmware (git GitHub - amnezia-vpn/amnezia-client: Amnezia VPN Client (Desktop+Mobile)). I am a GL-MT6000 user and in my country traffic from wg and openvpn protocols is actively blocked, but Amnezia continues to work fine and at high speed, like wireguard.
I don't want to re-flash the router and mess around with openwrt, it's hard and the stock firmware on Flint2 is very comfortable and easy to use.