How this installer differs from the official Amnezia app

Both set up the same AmneziaWG 2.0 protocol. The official app is a graphical client that deploys the server in Docker. This installer is built for one goal: to get the most out of a single dedicated VPS as a VPN server. Here is what that changes.

What it does differently Quick start

Two approaches to the same protocol

AmneziaWG 2.0 underneath either way. The difference is how the server is delivered and how far it is tuned.

Official GUI

Official Amnezia app

A graphical client for desktop and phone. You point it at a server and it deploys the server side in Docker over SSH, then manages clients from the app. A convenient official path when a GUI is all you need, and it does not take on host-wide tuning or hardening.

This installer

amneziawg-installer

One SSH command that turns a dedicated VPS into a tuned VPN box. AmneziaWG runs as a kernel module, the whole server is optimized and hardened for the one job, and clients are managed from the command line. No Docker, nothing extra running in the background.

What this installer does differently

Everything here follows from one idea: a lean, fully tuned, single-purpose VPN box you control end to end.

No Docker overhead

AmneziaWG runs as a kernel module, not inside a container, so there is no Docker daemon in the background. RAM and CPU stay free for the tunnel - critical on a cheap VPS and welcome on a bigger one.

The server is tuned to the hardware

The script detects RAM, CPU, and the network card, then sets sysctl buffers, swap size, and NIC offloads and enables BBR. It wrings the most out of the plan you pay for, rather than treating host-wide tuning as out of scope.

Smaller attack surface

Unneeded packages and services are stripped, so the box does one thing. On top of that: UFW deny-all, Fail2Ban, strict file permissions, and sysctl hardening. One service to keep an eye on, not a stack.

Fine control over the obfuscation

A mobile-network preset (--preset=mobile), direct access to the AmneziaWG 2.0 parameters, and field data on carriers and DPI. When an operator or network is awkward, you can tune the obfuscation for it rather than hope a default fits.

Headless and scriptable

One SSH command, every option as a flag, no desktop app required. CLI client management, time-limited guest configs, QR and vpn link import, and JSON output for automation.

ARM prebuilts

Prebuilt kernel modules for Raspberry Pi, Oracle Ampere, Hetzner CAX, and AWS Graviton, with a DKMS build as fallback. The same command picks the right one.

Same protocol, same obfuscation

The differences are in delivery and tuning, not in how well it resists DPI.

It is the same AmneziaWG 2.0 underneath, so the obfuscation designed to resist deep packet inspection is identical. The installer is open source under the MIT license, it is readable bash you can review before running, and it carries more than 800 automated tests. It installs the same upstream AmneziaWG - this is automation and server tuning, not a fork of the protocol.

Quick start Full guide

FAQ

How does it differ from the official Amnezia app?

Both run the same AmneziaWG 2.0 protocol. The official app is a GUI that deploys the server side in Docker over SSH. This installer skips Docker and runs AmneziaWG as a kernel module, then tunes and hardens the whole server for a single-purpose VPN - lower overhead, a smaller attack surface, and fine control over the obfuscation.

Does it use Docker on the server?

No. It installs AmneziaWG as a kernel module through DKMS, so there is no Docker daemon or container stack running in the background. That keeps RAM and CPU use low, which matters most on a cheap VPS but helps on any server.

Does it optimize the server itself?

Yes. The script reads the server's RAM and network card, then tunes sysctl buffers, swap size, and NIC offloads and enables BBR. It also strips unneeded packages so the box does one job. The container-based official app deploys its containers and does not do this kind of host-wide tuning and hardening.

Can I tune the obfuscation for my carrier or network?

Yes. There is a mobile-network preset, direct access to the AmneziaWG 2.0 parameters, and field data on DPI behaviour, so you can tune the obfuscation for a specific operator or network.

Is the protocol and security the same?

Yes. It is the same AmneziaWG 2.0 underneath, so the DPI-resistant obfuscation is identical. The installer is open source under the MIT license, readable bash you can review before running, with more than 800 automated tests. It installs the same upstream AmneziaWG - automation and server tuning, not a fork of the protocol.

How is it different from other AmneziaWG install scripts?

amneziawg-installer focuses on a fully tuned, single-purpose VPS: deeper server optimization and hardening, mobile-network DPI and CPS tuning, time-limited clients, full Russian and English versions, and no web panel by default. Many other scripts stop at a working tunnel or add a web UI; this one automates the whole server end to end and is tested with more than 800 automated tests.