Amnezia. How the service works

The Amnezia module in the BeAdmin panel hides VPN traffic from Deep Packet Inspection (DPI) systems — in networks where plain WireGuard is recognised by its signature and throttled or blocked. It is built on AmneziaWG — a VPN protocol that adds masking on top of WireGuard. WireGuard's cryptography and speed are preserved; only what the packets look like on the wire changes.

The problem Amnezia solves

Plain WireGuard is a quiet, fast, modern protocol — but precisely because of that it has a distinctive signature on the network. The first packet of the handshake is always 148 bytes, has a known type byte at a fixed offset, and the first response is always 92 bytes. A Deep Packet Inspection (DPI) system does not need to break the cryptography to spot a WireGuard tunnel — it is enough to look at the size and the first bytes of the very first UDP packet.

Operators in countries with aggressive DPI use exactly this property: WireGuard is identified within the first packets of the session and the UDP traffic is either dropped or rate‑limited until the connection collapses. The cryptography is intact; it is the metadata that gives the tunnel away.

Amnezia addresses that single problem — it rewrites the network‑visible side so the signature disappears. The cryptographic core stays untouched.

How Amnezia masks the traffic

Amnezia changes three things about how WireGuard looks "from the outside". WireGuard itself is not touched inside — the same keys, the same cryptography, the same handshake. Only what a network observer sees is different.

First — before the real connection begins, AmneziaWG sends a handful of "junk" UDP packets with random sizes and contents. They do not look like any known VPN protocol, and DPI is waiting for "the first packet with the WireGuard signature" — which never arrives.

Then — before the real handshake, a random chunk of data is added in front of the packet. The packet size no longer matches the standard 148 bytes of WireGuard, which is precisely what DPI normally uses to recognise it.

Finally — one service byte in every packet (the one DPI normally uses to tell WireGuard packet types apart) is replaced with a random value. The universal rule "look for this byte at this offset" no longer fires.

All of these parameters are picked by the panel for you on install — there is nothing to configure by hand.

What Amnezia cannot do

It is worth naming what Amnezia does not promise — confusion here is common.

• It does not add extra encryption. WireGuard traffic is already encrypted with modern algorithms. Amnezia does not put a second layer on top — it only changes the unencrypted metadata that DPI inspects.
• It is not Tor or anonymity routing. A tunnel to your own server hides traffic from the local network and the ISP, but the destination server still sees the client's IP. Amnezia does not introduce extra hops or onion routing.
• It is not invisible to a determined adversary. A passive DPI rule looking for "the known WireGuard signature" is defeated. A statistical analyser that profiles UDP flow timing and volume over hours can still flag the traffic as suspicious.
• It is not a guarantee against blocking. If an operator simply blocks the server's IP or the whole UDP port, no amount of masking helps. Amnezia protects specifically against signature‑based DPI.
• It is not a way around the law. If VPN usage is restricted or prohibited in your jurisdiction, bypassing DPI does not change that. Amnezia is a technical answer to a technical obstacle, not a legal one.

Amnezia in BeAdmin

The Amnezia module in BeAdmin installs in one click. The panel picks all the masking parameters for you and generates random values that are unique to your server — there is no need to edit configuration files or work in the command line.

Once installed, the module is ready to go: you have a working VPN immediately, you can add users and issue connections to them. For each user the panel generates a ready configuration file and a QR code — the client scans the QR straight from the official Amnezia app or imports the file, no parameters need to be moved manually from the server to the device.

What the server needs: a regular VPS or a physical machine. On container‑based servers (LXC, OpenVZ without full virtualisation) the module will not start — full access to the network stack is required. Modern Ubuntu and Debian are supported.

When to choose Amnezia

Choose Amnezia when:

• Your users connect from networks with aggressive DPI where plain WireGuard is throttled, dropped, or never finishes the handshake.
• You want a single universal VPN module for both quiet networks and hostile ones. Amnezia does not cost noticeably more in either case.
• Your users can install the official Amnezia app or another client that supports AmneziaWG.

Amnezia is not a good fit when:

• Your users connect with native clients like wg-quick or iOS/Android WireGuard that have no AmneziaWG support.
• You need to interoperate with existing WireGuard peers that you do not control. Amnezia on the wire only talks to Amnezia.

If in doubt — install Amnezia in BeAdmin and try it for free.

If you don't have a server yet, you can get one from our partners — they offer virtual and dedicated servers with the BeAdmin panel pre‑installed.

Proven over 15 years in hosting. Your VPS with BeAdmin is ready to go out of the box.

• Germany
• Netherlands
• Sweden
• Switzerland
• Spain
• USA

Select server

European reliability made simple. Launch BeAdmin with your VPS in just one click.

• Germany
• Netherlands
• Sweden
• Estonia
• Romania
• Switzerland
• Spain
• United Kingdom
• USA

Sign up

What's next

• Amnezia. Quick start — installing the module and the first connection.
• Amnezia. Managing the module — managing the service, port change, and updates.
• Amnezia. Managing users — issuing and revoking connections, temporarily disabling a user without re‑importing.