WireGuard & Amnezia:
The Future of Privacy
An in-depth look at the protocols and cryptographic primitives that make VPNWG the most advanced tunneling service available.
Protocol Comparison
How WireGuard stacks up against legacy VPN protocols across key performance and security metrics.
| Metric |
star
WireGuard
|
OpenVPN | IPSec/IKEv2 |
|---|---|---|---|
|
speed
Handshake Latency
|
1 RTT (~100ms) | 6-8 RTT (~800ms) | 2-4 RTT (~400ms) |
|
trending_up
Throughput
|
~1000 Mbps | ~250 Mbps | ~500 Mbps |
|
code
Code Complexity
|
~4,000 lines | ~400,000 lines | ~200,000 lines |
|
encrypted
Encryption
|
ChaCha20-Poly1305 | AES-256-GCM | AES-256-GCM |
|
key
Key Exchange
|
Curve25519 (ECDH) | RSA / ECDH | Diffie-Hellman / ECDH |
|
fingerprint
Hash / MAC
|
BLAKE2s | SHA-256 / SHA-384 | SHA-256 / SHA-384 |
|
visibility_off
DPI Resistance
|
Detectable* | Partially (via TLS) | Detectable |
* WireGuard on its own is detectable by DPI. Combined with Amnezia obfuscation, traffic becomes indistinguishable from regular HTTPS.
The Amnezia Stealth Advantage
Deep Packet Inspection (DPI) can identify and block standard VPN protocols. Amnezia solves this by making VPN traffic invisible.
block Without Amnezia
Standard WireGuard packets have a recognizable signature that DPI firewalls easily identify and block.
check_circle With Amnezia
Amnezia wraps WireGuard packets in an obfuscation layer, making them indistinguishable from regular HTTPS traffic.
Junk Packet Injection
Amnezia injects random-length junk data (controlled by JC, JMIN, JMAX parameters) into the handshake. This destroys the predictable packet-size fingerprint that DPI systems rely on.
Header Obfuscation
WireGuard's 4-byte message type header is a dead giveaway. Amnezia rewrites these headers so they no longer match the standard WireGuard signature.
Traffic Pattern Masking
By randomizing packet sizes and timing, Amnezia prevents statistical analysis attacks that could otherwise identify VPN traffic patterns over time.
Protocol Specifications
A closer look at the cryptographic primitives and protocol mechanics behind our tunneling stack.
WireGuard Core
High-performance kernel-level tunnel
Cryptographic Primitives
ChaCha20-Poly1305
Curve25519 ECDH
BLAKE2s
HKDF
Key Properties
- check Perfect Forward Secrecy — Each session uses unique ephemeral keys, protecting past sessions even if long-term keys are compromised.
- check 1-RTT Handshake — Connection established in a single round trip using the Noise Protocol framework (IK pattern).
- check Kernel-Level Performance — Runs in the Linux kernel for minimal overhead and maximum throughput.
- check Minimal Attack Surface — Under 4,000 lines of code means thorough auditability and fewer potential vulnerabilities.
Amnezia Cloak
Anti-censorship obfuscation layer
Obfuscation Parameters
Junk Packet Count
Min Junk Size
Max Junk Size
Init Header Rewrite
Key Properties
- check DPI Evasion — Defeats deep packet inspection used by restrictive firewalls (GFW, Roskomnadzor, etc.).
- check Zero Signature — Traffic appears as random bytes, indistinguishable from regular HTTPS web browsing.
- check Adaptive Padding — Randomized packet sizes prevent statistical fingerprinting of VPN traffic patterns.
- check WireGuard Compatible — Wraps standard WireGuard without modifying the core protocol, preserving all security guarantees.
Technical FAQ
Common questions about our protocol stack and infrastructure.
Why WireGuard instead of OpenVPN?
expand_more
WireGuard is fundamentally superior to OpenVPN in nearly every metric. Its 4,000-line codebase (vs OpenVPN's 400,000+) makes it dramatically easier to audit. It uses modern cryptographic primitives (ChaCha20, Curve25519, BLAKE2s) instead of relying on OpenSSL. Performance is 3-4x better because it runs in the Linux kernel rather than userspace. The 1-RTT handshake means connections are established in milliseconds, not seconds.
How does Amnezia obfuscation work?
expand_more
Amnezia uses three techniques: (1) Junk packet injection during handshake, controlled by JC/JMIN/JMAX parameters, which randomizes the packet size fingerprint. (2) Header rewriting via S1/S2 parameters that change the WireGuard message type identifiers. (3) Traffic padding that makes the statistical profile of the connection indistinguishable from regular HTTPS traffic. Together, these defeat all known DPI techniques.
Does obfuscation affect performance?
expand_more
The impact is minimal. Junk packets are only injected during the handshake phase, not during data transfer. Header rewriting has virtually zero overhead. The slight increase in packet sizes from padding is negligible on modern connections. In practice, you can expect less than 5% overhead compared to raw WireGuard, while gaining complete DPI resistance.
What is the difference between Shared and Dedicated plans?
expand_more
Shared plans place up to 10 users on a single WireGuard server instance, with bandwidth fairly distributed. Dedicated plans provision an exclusive server instance for a single user, guaranteeing full bandwidth and complete isolation. Dedicated users also get multiple configuration profiles for different devices (PC, phone, router, tablet).
What encryption does VPNWG use?
expand_more
VPNWG uses the WireGuard cryptographic suite: ChaCha20-Poly1305 for symmetric encryption and authentication, Curve25519 for Elliptic-Curve Diffie-Hellman key exchange, BLAKE2s for hashing, and HKDF for key derivation. All primitives are chosen for both security and performance, and all have been formally verified. This stack provides 256-bit security equivalent.
Can my ISP or government detect that I'm using a VPN?
expand_more
With Amnezia obfuscation enabled, your traffic is designed to be undetectable by current DPI systems. The obfuscation layer removes all known WireGuard protocol signatures, and the traffic padding makes statistical analysis ineffective. While no solution can guarantee 100% undetectability against future analysis methods, Amnezia is actively maintained and updated to counter new detection techniques.
Ready to deploy?
Experience WireGuard + Amnezia today. Set up in under 60 seconds.