AmneziaWG 2.0 VPN server in one command
Turn a clean Ubuntu or Debian VPS into a self-hosted, DPI-resistant VPN. No Docker, no web panel, no Linux experience required.
$ wget -O install_amneziawg_en.sh https://raw.githubusercontent.com/bivlked/amneziawg-installer/v5.16.0/install_amneziawg_en.sh $ chmod +x install_amneziawg_en.sh $ sudo bash ./install_amneziawg_en.sh
Pin the latest version from the releases page. Three commands, two reboots, about twenty minutes to a working VPN.
What it does
AmneziaWG is WireGuard with traffic obfuscation, so the handshake no longer looks like a standard VPN to deep packet inspection. This script sets up the whole server for you.
You give the command a fresh VPS over SSH. It installs the AmneziaWG 2.0 kernel module through DKMS, hardens the firewall, enables forwarding, tunes the system for a single-purpose VPN box, and creates your first client. At the end you get a QR code and a vpn link for one-tap import into the Amnezia client. Adding another device later is a single command.
Features
Everything a small VPN server needs, set up with sane defaults and no manual config files.
DPI bypass
Full AmneziaWG 2.0 obfuscation: junk packets, header masking (H1 to H4), padding (S1 to S4), and I1 to I5 concealment packets.
Hardened by default
UFW firewall with deny-all and SSH rate limiting, Fail2Ban, strict file permissions, and sysctl hardening.
Client management
Add, remove, list, and regenerate clients. QR codes, vpn links for one-tap import, and time-limited guest configs with an expiry date.
IPv6 dual-stack
Optional dual-stack routing, off by default and enabled with a single flag when you need it.
ARM and Raspberry Pi
Prebuilt kernel modules for Raspberry Pi 3, 4 and 5, Hetzner CAX, Oracle Ampere A1, and AWS Graviton.
Survives reboots
A resume-after-reboot state machine, plus DKMS auto-repair that rebuilds the module after kernel upgrades.
Quick start
From a clean VPS to a working VPN in three steps.
Rent a clean Ubuntu or Debian VPS and connect over SSH as root.
Run the command above. The script reboots when it needs to. After a reboot, run it again and it resumes from where it stopped.
Scan the QR code or open the vpn link in the Amnezia client. You are connected.
For automation, the same script takes --yes --route-all and every other parameter as a flag. The full guide covers VPS choice, ARM notes, troubleshooting, and uninstall.
Supported systems
Tested on clean, minimal server installs. Kernel upgrades are handled automatically through DKMS.
Built for cheap budgets: 1 vCPU, 512 MB of RAM minimum, 5 GB of disk. Both amd64 and arm64.
Why a plain bash script
It runs as a kernel module, with nothing extra sitting between you and the tunnel.
A web panel is worth it only if you add and rotate clients constantly. For most people a VPN server is set once and left alone, so the bash approach keeps the footprint tiny and runs comfortably on the cheapest VPS. The kernel-native module is faster than a userspace tunnel, and there is nothing extra to keep patched. If you do want a UI or a different trade-off, the comparison in the README is honest about when another tool fits better.
FAQ
Is it free?
Do I need Linux experience?
Which VPS should I pick?
Does it bypass DPI and censorship?
Does it run on ARM and Raspberry Pi?
How do I update to a new release?
--force flag. Server keys, clients, and obfuscation settings survive the reinstall. After kernel updates the DKMS module rebuilds automatically on the next boot.