AmneziaWG Configuration Guide for Ubuntu 24.04

A comprehensive walkthrough of awg0.conf parameters and security setups

Key Takeaways

PresharedKey Usage: Enhances security by adding symmetric encryption on top of public key cryptography.
AllowedIPs Configuration: Dictates routing rules and access control for client traffic.
Complete Parameter Overview: Detailed explanation on how each parameter in awg0.conf works to ensure optimal configuration for AmneziaWG.

Overview of AmneziaWG and Its Purpose

AmneziaWG is a modified version of WireGuard specifically configured to bypass Deep Packet Inspection (DPI) and offers an enhanced VPN experience on Ubuntu systems. Given that you are installing it on Ubuntu 24.04 and have already set up the kernel module, you are now progressing towards configuring the main configuration file (usually named awg0.conf). This file contains both the interface configuration of your server and the parameters for each connected peer (client).

The configuration file is divided into multiple sections. The most common sections are:

[Interface]: Contains the server-specific settings including private keys, IP assignments, DNS information, and additional parameters that control obfuscation and traffic properties.
[Peer]: Defines client-specific settings such as public keys, allowed IP addresses, optional pre-shared keys, and endpoints for connection setup.

Detailed Explanation of awg0.conf Options

Interface Section Options

PrivateKey

This option holds the private key of your server. It is a crucial element for creating secure and authenticated connections. The private key should be generated using the command wg genkey and must remain confidential. If this key is compromised, the entire security of your VPN may also be at risk.

Address

This is the IP address assigned to the VPN interface on your server. Typically, you will use an address from a private IP range such as 10.x.x.x/24 or 10.10.8.1/24. This address is used by the WireGuard interface for routing and managing VPN traffic.

ListenPort

The listen port is the UDP port on which your server listens for incoming VPN connections. Common defaults include port 51820; however, you can change this value if needed. Ensure that the selected port is open in the server's firewall and also in any cloud security groups involved.

DNS

Although optional, the DNS setting specifies one or more DNS servers that will be used for name resolution by the connected clients. You could use public DNS servers like 1.1.1.1 and 1.0.0.1 or any custom DNS servers that meet your needs.

Obfuscation Parameters (Jc, Jmin, Jmax, S1, S2, H1, H2, H3, H4)

AmneziaWG includes a series of parameters specifically designed to obfuscate traffic and counteract DPI:

Jc: Controls one aspect of the jitter or modulation in traffic flows.
Jmin and Jmax: Define the minimum and maximum jitter intervals respectively.
S1 and S2: Set parameters for additional session adjustments relating to the timing and security session initiation.
H1 through H4: Typically used as hash or obfuscation seeds, these values help disguise the VPN traffic to look more like regular internet traffic.

For most installations, the default values should suffice unless you experience issues or need to tailor your configuration against more aggressive DPI environments. Adjust these values only if you’re particularly adept at troubleshooting network obfuscation problems.

Peer Section Options

PublicKey

This represents the public key provided by the client. Each client must generate a key pair consisting of a private and public key. The client’s public key is inserted in the server's configuration file under the [Peer] section, ensuring that the encrypted connection relies on mutual authentication between server and client.

PresharedKey

The PresharedKey is an optional but strongly recommended layer of additional security. It is a symmetric key shared between the server and the client that further encrypts the WireGuard connection. While WireGuard's public key system already provides strong security, the preshared key serves as an added measure to safeguard against certain types of attacks, such as man-in-the-middle scenarios. You can generate a preshared key using the command wg genpsk. Both server and client configuration files must include the same preshared key if you decide to use it.

AllowedIPs

The AllowedIPs directive is a dual-purpose field. It serves both as a routing table and an access control list:

For outgoing traffic: It tells your WireGuard server about which IP range should be routed through a specific peer. For instance, if you set AllowedIPs = 10.0.0.2/32, then any packet destined to that IP will be sent through the corresponding tunnel.
For incoming traffic: It restricts which source addresses are accepted from the peer. This means that if a packet arrives from an IP address that is not within the designated range, it will be silently dropped, providing a layer of security against unauthorized access.

In typical configurations, for a client connection you might specify a single IP (like 10.0.0.2/32), ensuring the client only uses that particular VPN IP address. In cases where you want to route all traffic from the client through the VPN, you would configure AllowedIPs = 0.0.0.0/0, ::/0 to cover both IPv4 and IPv6 addresses.

Endpoint

The Endpoint option defines where the client should establish the connection, specifying the domain name or IP address and the port. In your scenario, since your server address is gin.69.mu and if you are using a specific custom port like 42666 or a default port like 51820, this is where it will be reflected. It is essential that this parameter matches the settings in your firewall and server listening configuration.

PersistentKeepalive

The PersistentKeepalive option is particularly useful when the client is behind Network Address Translation (NAT). By setting a keepalive delay (commonly 25 seconds), the client sends a small packet at regular intervals. This ensures that the NAT mapping remains active and that the connection is maintained even in the absence of regular traffic. Without this option, the connection might drop unexpectedly because of idle timeouts.

Example Configuration File (awg0.conf)

Here is an example configuration file for your server which includes both the Interface and Peer sections. Make sure to replace placeholder values with your actual keys and any custom parameters you require:

[Interface]
# The server's IP address on the VPN network.
Address = 10.10.8.1/24
# The private key is generated by 'wg genkey' – keep this secure.
PrivateKey = your_server_private_key
# The port on which the WireGuard interface listens for incoming connections.
ListenPort = 51820
# DNS servers to be used by connected VPN clients.
DNS = 1.1.1.1, 1.0.0.1
# (Optional) Traffic obfuscation parameters to help bypass DPI.
Jc = 30
Jmin = 60
Jmax = 120
S1 = 55
S2 = 155
H1 = 1953034736
H2 = 752945292
H3 = 3945748733
H4 = 1666444888

[Peer]
# The public key of the client connecting to the server.
PublicKey = client_public_key
# (Optional but recommended) A symmetric preshared key to enhance security.
PresharedKey = your_preshared_key
# AllowedIPs defines routing and ACL for client traffic.
# For a single client IP:
AllowedIPs = 10.10.8.2/32
# If you want to route all traffic from the client through the VPN:
# AllowedIPs = 0.0.0.0/0, ::/0
# Endpoint defining where the client connects (server address and port).
Endpoint = gin.69.mu:51820
# (Optional) Keeping the connection alive, especially for NAT scenarios.
PersistentKeepalive = 25

Comprehensive Options Table

Option	Description	Example
PrivateKey	Server private key for encryption and authentication. Generated using `wg genkey`.	your_server_private_key
Address	VPN IP address assigned to the server's interface. Must be in a private range.	10.10.8.1/24
ListenPort	UDP port on which your server listens for incoming connections.	51820
DNS	DNS servers used for name resolution by connected VPN clients.	1.1.1.1, 1.0.0.1
Jc, Jmin, Jmax, S1, S2, H1-H4	Parameters used for traffic obfuscation to evade DPI; adjust only if needed.	Defaults provided in file
PublicKey	Client’s public key generated via `wg genkey` (from client's side).	client_public_key
PresharedKey	An optional symmetric key to add an extra layer of security between server and client.	your_preshared_key
AllowedIPs	Specifies which IP addresses are routed to the peer. For a single-client assignment, use a /32 subnet. Use `0.0.0.0/0, ::/0` to route all client traffic through the VPN.	10.10.8.2/32 or 0.0.0.0/0, ::/0
Endpoint	Denotes the IP address/domain and port where the client should connect. This must be accessible from the client side.	gin.69.mu:51820
PersistentKeepalive	A timer (in seconds) for sending periodic keepalive packets to maintain NAT mappings.	25

Additional Considerations and Best Practices

Security Practices

Given that security is paramount in any VPN configuration:

Always ensure that private keys and preshared keys are kept confidential. Store them securely and limit access.
Regularly update your keys if you suspect any compromise. Consider using automated scripts to rotate keys periodically.
Use strong, random values for the preshared key. A simple command to generate a secure value is wg genpsk.

The preshared key is especially beneficial as it offers an extra layer of security on top of the cryptographic assurances provided by public and private keys. Even if one key is exposed or suffers from an unexpected vulnerability, the preshared key will help mitigate the risk.

Traffic Routing and AllowedIPs

The AllowedIPs setting does double duty as both a routing filter and an ACL. When configured with a specific IP (such as 10.10.8.2/32), it ensures that:

Outgoing Packets: Any data destined for the client’s assigned IP is sent through the VPN tunnel.
Incoming Packets: The interface will only accept traffic coming from within the specified IP range, thus preventing rogue traffic from entering the secure tunnel.

In scenarios where you intend for clients to route all internet traffic through the VPN (thus providing an extra layer of privacy), set the AllowedIPs to 0.0.0.0/0, ::/0 so that all IPv4 and IPv6 traffic is tunneled through your server. This is particularly useful for high-security environments or when bypassing local network restrictions.

Network Performance and Obfuscation Parameters

The obfuscation parameters (Jc, Jmin, Jmax, S1, S2, H1-H4) offer flexibility in shaping the VPN’s traffic characteristics. These settings were introduced in AmneziaWG to mimic typical internet traffic patterns, making it more difficult for network administrators or automated systems to detect and block VPN traffic. While the defaults usually suffice, understanding how each parameter affects latency, throughput, and overall connectivity can be invaluable for troubleshooting network issues or evading DPI analysis in more restrictive environments.

For most users, it is best to stick with default values unless you clearly identify performance or detection issues. If you decide to experiment with these values, ensure you thoroughly test your VPN connection under load to avoid service interruptions.

Practical Steps to Finalize Your AmneziaWG Setup

Post-Configuration Steps

After you have prepared your configuration file (awg0.conf), follow these steps to enable and test your AmneziaWG VPN:

Service Enablement: Execute the commands to enable and start the AmneziaWG service:

# Enable and start the service
sudo systemctl enable --now awg-quick@awg0
sudo systemctl restart awg-quick@awg0.service
sudo systemctl status awg-quick@awg0.service

Firewall Adjustments: Make sure the UDP port specified (e.g., 51820) is open in your firewall and any cloud security groups.
Client Configuration: Ensure that each client uses a corresponding configuration file containing a matching PresharedKey (if you are using one), their own key pair, and the correct AllowedIPs entries.
Testing Connectivity: After starting the service, test by connecting a client to see whether traffic is routed properly and that the VPN encapsulation works effectively.

These steps ensure that your VPN is not only correctly configured but also fully operational.

Further Resources and Related Queries

Discover more about advanced configuration options, troubleshooting steps, and performance enhancements by exploring additional technical documentation. Here are some references and suggested future queries that may be of interest: