A Docker container for running AmneziaWG, a modified version of WireGuard that provides enhanced obfuscation capabilities to bypass DPI (Deep Packet Inspection) and censorship.
This project provides a containerized solution for running AmneziaWG VPN server/client. It builds upon the latest AmneziaWG-go implementation and includes pre-compiled AmneziaWG tools for easy deployment.
- 🚀 Latest AmneziaWG-go implementation
- 🛠️ Pre-compiled AmneziaWG tools (v1.0.20250706)
- 🐳 Multi-stage Docker build for optimized image size
- 🔧 Easy configuration management
- 🔄 Graceful shutdown handling
- 📦 Docker Compose ready
- 🏥 Built-in health checks
- 🏗️ Multi-architecture support (amd64, arm64)
- Docker
- Docker Compose (optional)
- Recommended: AmneziaWG kernel module for optimal performance
💡 Performance Tip: For better performance and lower CPU usage, it's highly recommended to install the AmneziaWG kernel module on your host system. See the Kernel Module Installation section below.
The easiest way to get started is using the pre-built image from GitHub Packages:
# Pull and run the latest image
docker run -d \
--name amneziawg \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--device /dev/net/tun \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-v $(pwd)/awg0.conf:/etc/wireguard/awg0.conf \
ghcr.io/ayastrebov/docker-amneziawg:latest awg0- Clone this repository:
git clone https://github.com/AYastrebov/docker-amneziawg.git
cd docker-amneziawg- Create your AmneziaWG configuration file:
# Create your configuration file
cp awg0.conf.example awg0.conf
# Edit the configuration file with your settings
nano awg0.conf- Build and run the container:
docker-compose up -dNote: The docker-compose.yml currently references a locally built image. To use the pre-built GitHub Packages image, update the image field in docker-compose.yml to:
image: ghcr.io/ayastrebov/docker-amneziawg:latest- Use the pre-built image:
docker run -d \
--name amneziawg \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--device /dev/net/tun \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-v $(pwd)/awg0.conf:/etc/wireguard/awg0.conf \
ghcr.io/ayastrebov/docker-amneziawg:latest awg0Or build locally:
- Build the image:
docker build -t amneziawg-go .- Run the container:
docker run -d \
--name amneziawg \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--device /dev/net/tun \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-v $(pwd)/awg0.conf:/etc/wireguard/awg0.conf \
amneziawg-go awg0Create a configuration file named awg0.conf (or any name matching your interface) in the project directory. Here's an example:
[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
# AmneziaWG specific parameters
Jc = 4
Jmin = 50
Jmax = 1000
S1 = 86
S2 = 12
H1 = 1755269708
H2 = 2101520157
H3 = 1829552136
H4 = 2016351429
[Peer]
PublicKey = <peer-public-key>
AllowedIPs = 10.0.0.2/32The container accepts the following parameter:
- Interface name: Pass as the first argument (default:
wg0)
Example:
docker run ... amneziawg-go awg0For optimal performance and lower CPU usage, it's highly recommended to install the AmneziaWG kernel module on your host system before running the container.
- Better Performance: Kernel-space implementation is more efficient than userspace
- Lower CPU Usage: Reduces overhead compared to the Go userspace implementation
- Native Integration: Works seamlessly with existing WireGuard tooling
Install the AmneziaWG kernel module from the official repository:
# Clone the kernel module repository
git clone https://github.com/amnezia-vpn/amneziawg-linux-kernel-module.git
cd amneziawg-linux-kernel-module
# Follow the installation instructions in the repository
# This typically involves:
# 1. Installing kernel headers for your distribution
# 2. Compiling and installing the module
# 3. Loading the module
# Example for Ubuntu/Debian:
sudo apt update
sudo apt install linux-headers-$(uname -r) build-essential
make
sudo make install
sudo modprobe amneziawgAfter installation, verify the module is loaded:
# Check if the module is loaded
lsmod | grep amneziawg
# The container will automatically use the kernel module if available
# You can verify this in the container logsNote: If the kernel module is not available, the container will fall back to the userspace Go implementation automatically.
The included docker-compose.yml provides the following configuration:
- Image: Uses locally built image by default (
amneziawg-go)- To use the pre-built GitHub Packages image, change to:
ghcr.io/ayastrebov/docker-amneziawg:latest
- To use the pre-built GitHub Packages image, change to:
- Capabilities:
NET_ADMINandSYS_MODULEfor network management - Sysctls: IP forwarding and routing configurations
- Devices: Access to
/dev/net/tunfor tunnel interface - Volumes: Mounts your configuration file
- Restart policy:
unless-stoppedfor automatic restart
To use the GitHub Packages image with Docker Compose, update your docker-compose.yml:
services:
amneziawg:
image: ghcr.io/ayastrebov/docker-amneziawg:latest
container_name: amneziawg
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
devices:
- /dev/net/tun
volumes:
- ./awg0.conf:/etc/wireguard/awg0.conf
command: awg0.
├── .github/
│ ├── workflows/
│ │ └── docker-build.yml # CI/CD pipeline
│ ├── ISSUE_TEMPLATE/ # Issue templates
│ ├── pull_request_template.md # PR template
│ └── RELEASE_TEMPLATE.md # Release template
├── Dockerfile # Multi-stage build for AmneziaWG
├── docker-compose.yml # Docker Compose configuration
├── entrypoint.sh # Container entrypoint script
├── awg0.conf.example # Example configuration file
├── awg0.conf # Your AmneziaWG configuration (create this)
├── CHANGELOG.md # Version history
├── CONTRIBUTING.md # Contribution guidelines
├── LICENSE # MIT License
├── SECURITY.md # Security policy
└── README.md # This file
Note: Pre-built images are available on GitHub Packages. Building from source is only necessary if you need to customize the build or contribute to the project.
The project uses GitHub Actions to automatically build and publish Docker images to GitHub Packages. You can use the pre-built images with:
docker pull ghcr.io/ayastrebov/docker-amneziawg:latestThe Dockerfile uses a multi-stage build:
- Builder stage: Compiles AmneziaWG-go from source
- Runtime stage: Creates minimal Alpine-based image with pre-compiled tools
AWGTOOLS_RELEASE: Version of AmneziaWG tools to download (default: "1.0.20250706")
Example with custom tools version:
docker build --build-arg AWGTOOLS_RELEASE=1.0.20250706 -t amneziawg-go .For a server setup, your configuration might look like:
[Interface]
PrivateKey = <server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# AmneziaWG obfuscation parameters
Jc = 4
Jmin = 50
Jmax = 1000
S1 = 86
S2 = 12
H1 = 1755269708
H2 = 2101520157
H3 = 1829552136
H4 = 2016351429
[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32For a client setup:
[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/24
DNS = 8.8.8.8, 8.8.4.4
# AmneziaWG obfuscation parameters (must match server)
Jc = 4
Jmin = 50
Jmax = 1000
S1 = 86
S2 = 12
H1 = 1755269708
H2 = 2101520157
H3 = 1829552136
H4 = 2016351429
[Peer]
PublicKey = <server-public-key>
Endpoint = <server-ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25# Start the service
docker-compose up -d
# Stop the service
docker-compose down
# View logs
docker-compose logs -f
# Restart the service
docker-compose restartInside the container, you can use standard WireGuard commands with awg prefix:
# Check interface status
docker exec amneziawg awg show
# Show interface configuration
docker exec amneziawg awg show awg0
# Check container health status
docker ps # Look for "healthy" status
docker inspect amneziawg --format='{{.State.Health.Status}}'
# Manual interface management (if needed)
docker exec amneziawg awg-quick up /etc/wireguard/awg0.conf
docker exec amneziawg awg-quick down /etc/wireguard/awg0.conf- Permission denied errors: Ensure the container has the required capabilities and device access
- Configuration not found: Verify the configuration file is mounted correctly
- Network issues: Check that IP forwarding is enabled and firewall rules are correct
- Poor performance: Consider installing the AmneziaWG kernel module for better performance
Enable debug output:
# View container logs
docker-compose logs -f amneziawg
# Check interface status
docker exec amneziawg ip addr show
# Test connectivity
docker exec amneziawg ping <peer-ip>- Keep your private keys secure and never commit them to version control
- Use strong, randomly generated keys
- Regularly update the container image for security patches
- Consider using Docker secrets for sensitive configuration data
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
This project is licensed under the terms specified in the LICENSE file.
- AmneziaVPN for the AmneziaWG implementation
- WireGuard for the original protocol
- Alpine Linux for providing a minimal base image
- Project Repository
- Docker Images (GitHub Packages)
- AmneziaWG Kernel Module - Recommended for better performance
- AmneziaWG GitHub
- AmneziaWG Tools
- Official WireGuard Documentation