AmneziaWG 2.0 (UDP/443) + VLESS·REALITY (TCP/443) from a single command — using protocol‑masking designed to resemble ordinary QUIC/TLS traffic on port 443.
🌐 English · Русский · 中文 · Tiếng Việt
Important
Straight talk: root.vpn is engineered to resemble normal QUIC/TLS traffic, and it's been end‑to‑end tested on a real server (see below). It has not been tested against live censorship systems — the masking is a design property, not a field‑proven result. See the Russia / TSPU edition and Honest limits. No snake oil here.
curl -fsSL https://raw.githubusercontent.com/antidetect/root.vpn/main/install.sh | sudo bashThat one line downloads root.vpn (via curl+tar, no git), stands up a hardened road‑warrior server on port 443, and prints a QR you scan to connect. No flags, no web panel, no dashboards to leak. On a fresh image the underlying installer reboots once or twice to load a new kernel — just re‑run the same command after each reboot; it resumes safely.
By default you get two ways in on :443: fast AmneziaWG/UDP and a VLESS·REALITY/TCP fallback for networks that block UDP (TCP_ENABLED=1 is the default; set 0 for AWG‑only).
Warning
AmneziaWG is UDP‑only. Where a network blocks all UDP, clients use their second profile (VLESS + REALITY on TCP/443) to get through. Two doors, one command.
- 🥷 Built to blend in, not just encrypt. Plain WireGuard/OpenVPN are easy to fingerprint and are blocked on many restrictive networks. root.vpn disguises the opening packet as a real QUIC client Initial to a legitimate website, and its TCP leg uses REALITY, which relays a real third‑party site's TLS handshake — so an active prober that pokes your server just gets that real site back.
- 🎲 No two installs look alike. Junk packets, per‑message padding, ranged headers and the QUIC‑mimicry opener are randomized per deployment (connection IDs, TLS random, key share, GREASE, extension order all vary). That removes a shared static byte‑signature across servers — it does not claim to defeat ML/connection‑pattern classifiers.
- 🚪 UDP and TCP on :443. Co‑located, no conflict — verified both listening on a live box.
- ⚡ One command, the server does the rest. Installs the kernel module, generates keys, builds configs, opens the firewall, sets up NAT, creates your first client and prints the QR. (Needs root + outbound HTTPS; may reboot/resume on a fresh kernel.)
- 🔒 Hardened by default. Full‑tunnel routing (no leaks in our controlled test), UFW + fail2ban (upstream), and — on the TCP leg — a systemd‑sandboxed Xray with
0600secrets owned by its service user and access logging off. - 🧾 Yours, MIT, auditable. A thin, readable overlay on
bivlked/amneziawg-installer+ Xray‑core.
Not just bash -n. Every path was run on a fresh Ubuntu 24.04 VPS (Debian 12 is supported by the installer path but wasn't part of this shakedown):
| Test | Result |
|---|---|
| AmneziaWG 2.0 (UDP/443): real client handshake + traffic through the tunnel | egress IP = server ✓ |
| VLESS + REALITY + Vision (TCP/443): real client via SOCKS (with a REALITY‑friendly decoy) | egress IP = server ✓ |
| IPv4 / IPv6 / DNS leak checks — in a single‑host network‑namespace E2E (lab), not on real client networks | no leaks ✓ |
Firewall: UFW deny routed, FORWARD DROP+awg0 ACCEPT, NAT MASQUERADE |
✓ |
| fail2ban (SSH brute‑force) | active, banning ✓ |
Client lifecycle: add / remove / list / rotate-reality; curl install path |
✓ |
| Idempotent re‑run across the installer's reboots | ✓ |
The shakedown surfaced and fixed ~10 real deployment bugs (multi‑reboot handling, a missing dependency, REALITY decoy selection, service‑user file ownership, and more) that only a live run can find.
Your client's opening packet is a decoy: a genuine, per‑deploy‑unique QUIC v1 Initial carrying a TLS ClientHello with your SNI (built offline to RFC 9000/9001; its Initial keys match the RFC 9001 Appendix A.1 test vectors, and during development the packet was parsed — and the SNI recovered — by the independent aioquic stack). To the censor the session starts like an ordinary HTTP/3 client on 443; the real AmneziaWG handshake follows and the server ignores the decoy. Caveat: only the first packet mimics QUIC — a stateful classifier that tracks the whole flow can still tell it isn't a full HTTP/3 session. The TCP leg uses REALITY, where probing returns a real third‑party site.
flowchart LR
C["📱 Your device"] -->|"opener resembles QUIC / TLS to a real site on :443"| DPI["🛂 DPI · TSPU · GFW"]
DPI -->|"intended to pass as normal web traffic"| S["🖥️ root.vpn server"]
C -. "real AmneziaWG 2.0 / VLESS·REALITY tunnel" .-> S
S --> NET["🌍 open internet"]
Compares built‑in design features, not field results. Live‑censor evasion is not independently verified for any option here.
| Feature | Plain WireGuard | OpenVPN (TLS/443) | Stock AmneziaWG | root.vpn |
|---|---|---|---|---|
| Protocol mimicry / obfuscation | ❌ | ✅ | ✅ | |
| Active‑probe‑resistant TLS leg | ❌ | ❌ | ✅ REALITY (TCP leg) | |
| UDP and TCP on :443 | ❌ | TCP only | UDP only | ✅ both |
| Per‑deploy randomized signature | ❌ | ❌ | ✅ | |
| One command + clients + QR | ✅ | |||
| Full‑tunnel, leak‑checked (lab E2E) | — | — | — | ✅ |
You need: a fresh Ubuntu 24.04 (or Debian 12) VPS — 1 GB RAM ideal, the script adds swap if low — on a clean‑reputation IP (avoid burned VPS subnets), and root.
Fastest (no git):
# optionally pass config as env vars (a low-profile REALITY decoy + a QUIC SNI):
curl -fsSL https://raw.githubusercontent.com/antidetect/root.vpn/main/install.sh \
| sudo REALITY_DEST=dl.google.com AWG_SNI=www.cloudflare.com bashOr download + edit, then run (also no git):
curl -fsSL https://github.com/antidetect/root.vpn/archive/refs/heads/main.tar.gz | tar -xz
cd root.vpn-main
nano defaults.conf # set REALITY_DEST / AWG_SNI, etc.
sudo ./awg2Or with git:
git clone https://github.com/antidetect/root.vpn && cd root.vpn && sudo ./awg2When it finishes you'll see all checks passed, your first client's QR codes, and a vless:// link. Full per‑device walkthrough: docs/USAGE.md (RU).
sudo awg2 add laptop # new client on both legs → QR(s) + vless:// link
sudo awg2 add guest --expires=7d # self-expiring client
sudo awg2 remove laptop # revoke everywhere
sudo awg2 list # all clients, both legs
sudo awg2 status # interfaces, ports, obfuscation summary
sudo awg2 rotate-sni <domain> # fresh QUIC SNI + regen clients
sudo awg2 rotate-reality # fresh REALITY keypair + re-export links
sudo awg2 rotate-reality-target <host># change the REALITY decoy site
sudo awg2 uninstallEach client gets an AmneziaWG profile and (when the TCP leg is on) a VLESS·REALITY profile — try AmneziaWG first; use VLESS when UDP is blocked.
| Platform | AmneziaWG (UDP) | VLESS·REALITY (TCP) |
|---|---|---|
| Windows | AmneziaVPN | v2rayN / Hiddify |
| macOS | AmneziaVPN | Hiddify / v2rayN |
| Android | AmneziaWG / AmneziaVPN | Hiddify / v2rayNG |
| iOS | AmneziaVPN | Streisand (free) / Shadowrocket (paid) / Hiddify |
| Linux | awg-quick / AmneziaVPN |
Hiddify / mihomo / xray |
👉 Step‑by‑step import + troubleshooting + leak‑check: docs/USAGE.md · по‑русски
| Option | How | Status |
|---|---|---|
| Default | AWG/UDP + VLESS‑REALITY‑Vision TCP/443 | ✅ tested baseline |
| RU‑hardened | TCP leg over XHTTP (TCP_TRANSPORT="xhttp") |
mitigation for reported TSPU Vision‑on‑443 blocking; not verified vs live TSPU |
| CDN front / post‑quantum | CDN‑fronted XHTTP+TLS · VLESS encryption (ML‑KEM) | experimental / manual, off by default, not in the tested baseline |
Engineering rationale + threat mapping: docs/DESIGN‑v2‑tcp‑masking.md.
Important
A configuration profile for TSPU conditions, assembled from 2026 community field reports (net4people/bbs, Habr) — not verified by this project against live TSPU. Everything below raises cost / changes traffic patterns; none of it is a proven bypass. The decisive factor is usually your exit IP/ASN, which no knob here can change.
If a route gets blocked, work down this list — each is one var in defaults.conf (or an env var), then re‑run sudo awg2:
- Drop Vision → XHTTP. The reported Nov‑2025 TSPU freeze hits the single
xtls‑rprx‑visionflow on :443 (server→client stalls after ~16 KB).TCP_TRANSPORT="xhttp"→ re‑run. (In‑repo substitute for mux, which root.vpn doesn't ship.) - Move off :443. The freeze is reported port‑443‑specific; high ports fared better.
TCP_PORT="8443"(the firewall follows). Trade‑off: loses the "looks‑like‑HTTPS" cover and is worse on whitelist‑mode carriers. - Fresh, good REALITY decoy + rotate. TSPU counts handshakes per‑SNI, so a shared SNI burns faster.
awg2 rotate-reality-target <clean TLS1.3+h2 host>thenawg2 rotate-reality. - Cellular → mobile preset (UDP leg).
AWG_PRESET="mobile"(fixes Jc=3, narrows Jmax); keepAWG_MIMICRY="quic"+ a low‑profileAWG_SNI;awg2 rotate-sni <domain>when an ISP adapts. - Firefox uTLS fingerprint. Field reports tolerate Firefox/Edge over Chrome:
XRAY_FP="firefox". (Does not fix the volume freeze.) - Clean the ASN — the part no knob fixes (see below). The only in‑repo launder is CDN‑fronting (
CDN_DOMAIN+ your own domain/cert; experimental/manual). - Keep Xray current on both ends (pinned
XRAY_VERSIONis fine; keep clients matched).
| Symptom | Action |
|---|---|
| UDP / QUIC throttled | keep AWG with a low‑profile SNI; if UDP is unusable, use the TCP leg; drop AWG_PORT to a low UDP port only if high‑UDP is blocked but :443 isn't |
| Vision frozen on :443 (~16 KB, recovers ~60s) | TCP_TRANSPORT="xhttp" and TCP_PORT="8443"; changing XRAY_FP alone won't help |
| Handshake OK, then dies | ASN/IP cut — rotate-reality-target / rotate-reality; if it persists the exit is burned → cleaner box or CDN_DOMAIN |
| Mobile carrier quirks / allowlist mode | AWG_PRESET="mobile", rotate SNI; on allowlist carriers no protocol choice helps — only a whitelisted in‑RU chain or CDN edge, and off‑443 will hurt |
Not turnkey (manual / roadmap): per‑connection mux/XMUX (no knob — XHTTP is the substitute); XHTTP_MODE=packet-up (hand‑edit /etc/rootvpn/xray/params); Shadowsocks‑2022 / AnyTLS (not in repo); a domestic chain (client → whitelisted in‑RU VPS → foreign exit — the strongest RU survivor, but out of scope: run a second instance and chain manually); per‑carrier AWG I1 tweaks (manual awg0.conf edit).
IP / ASN reality (the part no config fixes): TSPU filters by destination CIDR/ASN — a flawless REALITY config on a burned subnet (Hetzner AS24940, OVH, DO) still dies after the handshake. Rough survivability, best→worst: residential / mobile (4G/LTE) > whitelisted in‑country ranges (via a chain) > big hyperscalers (AWS/Azure/GCP) > budget DC (expect handshake‑then‑stall). Pick the exit IP accordingly and treat it as a moving target.
Full‑tunnel routing · UFW (deny routed) + fail2ban (upstream) · net.ipv6.disable_ipv6=1 (no v6 leak) · NAT MASQUERADE + FORWARD DROP. On the TCP/Xray leg: REALITY private key + Xray config at 0600 chowned to the service user · Xray access log off (no client IP/SNI in its logs) · systemd sandbox (NoNewPrivileges, ProtectSystem=strict, only CAP_NET_BIND_SERVICE). Upstreams are version‑pinned (optional UPSTREAM_SHA256 for hash‑pinning, off by default). Obfuscation params are randomized per deploy.
- Not tested against live censors. Evasion of RU TSPU / China GFW / Iran DPI is not verified — anti‑DPI here is design intent + lab/functional validation, not a field result.
- Leak checks were lab‑only. They passed in a single‑host network‑namespace E2E, not across real client devices and access networks. Verify on your device (see USAGE).
- Only the first packet mimics QUIC. A stateful classifier that follows the whole flow can still distinguish it; REALITY's TLS‑in‑TLS is raised in cost, not made invisible.
- IP/ASN reputation beats any protocol. On burned VPS ranges the handshake completes then data dies — use a clean / residential‑reputation exit.
- REALITY decoy choice matters. Use a clean TLS1.3+HTTP/2 site (
dl.google.com,www.lovelive-anime.jp); avoid huge‑cert sites (microsoft.com,amazon.com) — they break the REALITY handshake (proven in testing). root.vpn validates and warns, but test your decoy before sharing clients. - No throughput benchmarks are published yet. Debian 12 and the advanced (XHTTP/CDN/PQ) options are not part of the proven Ubuntu 24.04 baseline.
- Client lock‑in & trust. AWG 2.0 needs the Amnezia app; the TCP leg needs an Xray‑family app. It runs pinned upstream code as root — read it; pin
UPSTREAM_SHA256if you want.
- 📖 Client usage guide (RU) — connect any device
- 🏗️ v2 design — architecture, threat mapping, options
Built on bivlked/amneziawg-installer and amnezia‑vpn (AmneziaWG 2.0) + XTLS/Xray‑core (VLESS·REALITY). The offline QUIC‑Initial generator follows RFC 9000/9001 and is original work. See NOTICE.
MIT © 2026 — see LICENSE. For legitimate privacy & censorship‑circumvention use; you are responsible for the laws that apply to you.