WireGuard vs AmneziaWG: When Obfuscation Matters

Plain WireGuard is simple and fast. AmneziaWG adds obfuscation to the handshake. When do you need which?

Plain WireGuard is enough when

You control both endpoints, no DPI is filtering your traffic, and the main concern is performance and simplicity. WireGuard shines for:

• Site-to-site VPN between your own servers
• Remote access to a home lab
• Point-to-point tunnels on a LAN

The handshake is small, fast, and provably secure. It uses Noise framework primitives and 1 RTT.

AmneziaWG becomes necessary when

A censor or ISP is actively probing and fingerprinting VPN traffic. DPI boxes can identify WireGuard by its distinctive handshake pattern (4-byte type field, fixed offsets) even without decrypting payload.

AmneziaWG adds configurable junk packets (Jc, Jmin, Jmax) before the real handshake, random header manipulation (H1-H4), and optional initialization patterns (I1-I3). Each of these parameters must match on both ends of the tunnel.

Performance

AmneziaWG adds latency on the first packet (junk plus real handshake) but steady-state performance is identical to WireGuard. CPU overhead is negligible.

Client support

Official AmneziaVPN clients support AmneziaWG on all major platforms. On Linux you can use amneziawg-tools (awg, awg-quick). On macOS, amneziawg-go provides userspace support since macOS has no kernel module.

Bottom line

If your path has no hostile middleboxes, plain WireGuard wins on simplicity. If you are dealing with DPI-based blocking, AmneziaWG is the drop-in upgrade that buys you time.