From baa3ef5f76b29800faef0dfb61a92d9c492c7d0d Mon Sep 17 00:00:00 2001 From: infosave Date: Fri, 29 May 2026 22:17:47 +0300 Subject: [PATCH] feat(awg2): add server obfuscation downgrade script for older router clients MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some router AmneziaWG implementations only support "classic" AmneziaWG 1.0 obfuscation and reject AWG 2.0 configs (range H1-H4, S3/S4, I1-I5 magic packets) that the Amnezia app and newer servers use — the config imports/ handshakes fine on phones but fails on the router. scripts/awg_downgrade_obfuscation.sh converts a server's wg0/awg0.conf to a router-compatible classic set: keeps Jc/Jmin/Jmax/S1/S2, collapses H1-H4 ranges to single values, drops S3/S4 and I1-I5, then reloads the interface (auto-detecting awg/wg). After running it, regenerate client configs in the panel (which mirrors the server's params) and re-import on all devices. Co-Authored-By: Claude Opus 4.8 (1M context) --- scripts/awg_downgrade_obfuscation.sh | 59 ++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 scripts/awg_downgrade_obfuscation.sh diff --git a/scripts/awg_downgrade_obfuscation.sh b/scripts/awg_downgrade_obfuscation.sh new file mode 100644 index 0000000..983cda7 --- /dev/null +++ b/scripts/awg_downgrade_obfuscation.sh @@ -0,0 +1,59 @@ +#!/bin/sh +# ===================================================================== +# Downgrade an AmneziaWG server's obfuscation to a "classic" (AmneziaWG 1.0) +# set that older router AmneziaWG implementations accept. +# +# Keeps : Jc, Jmin, Jmax, S1, S2 (widely supported AWG 1.0 junk params) +# Converts: H1-H4 from "a-b" ranges -> single value "a" +# Drops : S3, S4 and I1-I5 (AWG 1.5/2.0-only padding & magic packets) +# +# After running this you MUST regenerate every client config in the panel +# (create new clients / re-export) and re-import them on phones too — the old +# AWG 2.0 client configs no longer match the server and will stop connecting. +# +# Usage (on the VPS host that runs the container): +# sh awg_downgrade_obfuscation.sh [container_name] +# Defaults to container "amnezia-awg2". +# ===================================================================== +set -e + +CONTAINER="${1:-amnezia-awg2}" + +if ! docker inspect "$CONTAINER" >/dev/null 2>&1; then + echo "Container '$CONTAINER' not found. Pass the correct name as the 1st arg." >&2 + exit 1 +fi + +# Locate the config inside the container (awg0.conf for AWG2, wg0.conf legacy). +CONF="" +for f in /opt/amnezia/awg/awg0.conf /opt/amnezia/awg/wg0.conf /etc/wireguard/wg0.conf; do + if docker exec "$CONTAINER" test -f "$f" 2>/dev/null; then CONF="$f"; break; fi +done +[ -n "$CONF" ] || { echo "WireGuard config not found inside $CONTAINER" >&2; exit 1; } + +echo "Container : $CONTAINER" +echo "Config : $CONF" +echo "Before:" +docker exec "$CONTAINER" sh -c "grep -E '^(Jc|Jmin|Jmax|S[0-9]|H[0-9]|I[0-9])[[:space:]]*=' '$CONF' || true" + +# Rewrite the [Interface] obfuscation params, then reload the interface using +# whichever tool the image provides (awg on amneziawg-go, wg on the Amnezia image). +docker exec "$CONTAINER" sh -c ' + set -e + CONF="'"$CONF"'" + IFACE="$(basename "$CONF" .conf)" + cp "$CONF" "${CONF}.bak" 2>/dev/null || true + + # H1-H4: "a-b" -> "a" + sed -i -E "s/^([[:space:]]*H[1-4][[:space:]]*=[[:space:]]*[0-9]+)-[0-9]+/\1/" "$CONF" + # Drop S3, S4 and I1-I5 lines entirely + sed -i -E "/^[[:space:]]*(S3|S4|I[1-5])[[:space:]]*=/d" "$CONF" + + QUICK="$(command -v awg-quick || command -v wg-quick)" + "$QUICK" down "$CONF" 2>/dev/null || "$QUICK" down "$IFACE" 2>/dev/null || true + "$QUICK" up "$CONF" +' + +echo "After:" +docker exec "$CONTAINER" sh -c "grep -E '^(Jc|Jmin|Jmax|S[0-9]|H[0-9]|I[0-9])[[:space:]]*=' '$CONF' || true" +echo "Done. Now regenerate all client configs in the panel and re-import them."