wenil/amneziavpnphp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(awg2): add server obfuscation downgrade script for older router clients

Browse Source 
Some router AmneziaWG implementations only support "classic" AmneziaWG 1.0
obfuscation and reject AWG 2.0 configs (range H1-H4, S3/S4, I1-I5 magic
packets) that the Amnezia app and newer servers use — the config imports/
handshakes fine on phones but fails on the router.

scripts/awg_downgrade_obfuscation.sh converts a server's wg0/awg0.conf to a
router-compatible classic set: keeps Jc/Jmin/Jmax/S1/S2, collapses H1-H4
ranges to single values, drops S3/S4 and I1-I5, then reloads the interface
(auto-detecting awg/wg). After running it, regenerate client configs in the
panel (which mirrors the server's params) and re-import on all devices.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
infosave
2026-05-29 22:17:47 +03:00
parent 24a6cb276f
commit baa3ef5f76
1 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/awg_downgrade_obfuscation.sh
+59
View File
@@ -0,0 +1,59 @@
#!/bin/sh
# =====================================================================
# Downgrade an AmneziaWG server's obfuscation to a "classic" (AmneziaWG 1.0)
# set that older router AmneziaWG implementations accept.
#
# Keeps : Jc, Jmin, Jmax, S1, S2 (widely supported AWG 1.0 junk params)
# Converts: H1-H4 from "a-b" ranges -> single value "a"
# Drops : S3, S4 and I1-I5 (AWG 1.5/2.0-only padding & magic packets)
#
# After running this you MUST regenerate every client config in the panel
# (create new clients / re-export) and re-import them on phones too — the old
# AWG 2.0 client configs no longer match the server and will stop connecting.
#
# Usage (on the VPS host that runs the container):
# sh awg_downgrade_obfuscation.sh [container_name]
# Defaults to container "amnezia-awg2".
# =====================================================================
set -e
CONTAINER="${1:-amnezia-awg2}"
if ! docker inspect "$CONTAINER" >/dev/null 2>&1; then
echo "Container '$CONTAINER' not found. Pass the correct name as the 1st arg." >&2
exit 1
fi
# Locate the config inside the container (awg0.conf for AWG2, wg0.conf legacy).
CONF=""
for f in /opt/amnezia/awg/awg0.conf /opt/amnezia/awg/wg0.conf /etc/wireguard/wg0.conf; do
if docker exec "$CONTAINER" test -f "$f" 2>/dev/null; then CONF="$f"; break; fi
done
[ -n "$CONF" ] || { echo "WireGuard config not found inside $CONTAINER" >&2; exit 1; }
echo "Container : $CONTAINER"
echo "Config : $CONF"
echo "Before:"
docker exec "$CONTAINER" sh -c "grep -E '^(Jc|Jmin|Jmax|S[0-9]|H[0-9]|I[0-9])[[:space:]]*=' '$CONF' || true"
# Rewrite the [Interface] obfuscation params, then reload the interface using
# whichever tool the image provides (awg on amneziawg-go, wg on the Amnezia image).
docker exec "$CONTAINER" sh -c '
set -e
CONF="'"$CONF"'"
IFACE="$(basename "$CONF" .conf)"
cp "$CONF" "${CONF}.bak" 2>/dev/null || true
# H1-H4: "a-b" -> "a"
sed -i -E "s/^([[:space:]]*H[1-4][[:space:]]*=[[:space:]]*[0-9]+)-[0-9]+/\1/" "$CONF"
# Drop S3, S4 and I1-I5 lines entirely
sed -i -E "/^[[:space:]]*(S3|S4|I[1-5])[[:space:]]*=/d" "$CONF"
QUICK="$(command -v awg-quick || command -v wg-quick)"
"$QUICK" down "$CONF" 2>/dev/null || "$QUICK" down "$IFACE" 2>/dev/null || true
"$QUICK" up "$CONF"
'
echo "After:"
docker exec "$CONTAINER" sh -c "grep -E '^(Jc|Jmin|Jmax|S[0-9]|H[0-9]|I[0-9])[[:space:]]*=' '$CONF' || true"
echo "Done. Now regenerate all client configs in the panel and re-import them."