amneziawg-installer

Two-server cascade: Russian traffic direct, the rest abroad

A cascade (double VPN) chains two AmneziaWG servers. The client connects to an entry server; Russian traffic exits directly from it, and everything else goes through a second server abroad. The split is on the server side, so clients need no special setup.

Full step-by-step guide How it works

How it works

One client connection, two servers, traffic split by destination.

Client one connection Entry server in Russia, holds the split RU networks, direct Russian sites seen from a Russian IP everything else Exit server abroad Foreign clean exit IP
One client connection. The entry server sends Russian traffic out directly and routes the rest through a foreign exit.

Entry server (in Russia)

Clients connect here. This server decides where each flow goes and holds all the cascade logic. Russian sites are reached directly from its IP, so they open fast and accept the connection.

Exit server (abroad)

A normal AmneziaWG server abroad. The entry server connects to it as a client and forwards everything that is not Russian, so foreign sites see a clean foreign IP.

Split by destination

The list of Russian networks is loaded into an ipset. Traffic to those addresses goes direct; the rest is marked and routed through the exit. No per-app rules, no client-side lists.

When this helps

A normal VPN sends all traffic through one exit. A cascade gives you two at once.

You want fast access to Russian resources from a Russian address and a foreign exit for everything else - from a single connection on the client. Russian sites that refuse foreign IPs keep working, foreign sites get a clean exit, and the whole decision is made on the server, identically for every client. If a plain single-server install is enough, or if per-destination routing is simpler to set on the client, you do not need this. The cascade is for when the split belongs on the server.

Full step-by-step guide Install the base server

Built on a verified setup

The guide is not a sketch - the routing was tested end to end.

The cascade runs on top of two normal amneziawg-installer installs. The guide ships an idempotent routing script and a systemd unit so the split comes back by itself after a reboot. It was checked on a live two-server stand: the split routing, repeated runs, and reboot persistence all hold. The scheme is based on a community show-and-tell by @glfenix and is documented in full in the repository.

Discussion #120

FAQ

What is a two-server VPN cascade?
It is two servers chained together (sometimes called a double VPN). The client connects to an entry server, and that server forwards part of the traffic through a second exit server. Here the split is by destination: Russian networks go out directly from the entry server, everything else goes through the foreign exit.
Why split Russian traffic from the rest?
So Russian sites open from a Russian IP without a detour abroad and without being blocked for foreign addresses, while foreign sites use a clean foreign exit. You get both from a single connection on the client.
Do clients need special configuration?
No. The split lives entirely on the entry server. Clients are added as usual and need no special setup - they just connect to the entry server.
Is the cascade part of the installer?
No. A multi-server cascade is a separate manual setup on top of two normal amneziawg-installer installs. There is a step-by-step guide with a verified routing script and a systemd unit for boot persistence.
Where do the Russian networks come from?
From the aggregated Russian IP zone (ipdeny), loaded into an ipset. Traffic to those networks is routed direct; everything else is marked and sent through the foreign exit. The list is refreshed on a schedule.