The awg-routing.sh fallback fetched cascade/ru.zone from main, so a
copied script depended on the mutable main branch - a future restructure
could 404 it or silently change the list. Pin it to the vX.Y.Z release
tag for an immutable snapshot, and add CASCADE.md/.en.md to the
check-docs-consistency raw-URL check so the tag bumps every release.
* docs(cascade): bundle ru.zone snapshot as offline fallback
awg-routing.sh now tries ipdeny -> repo snapshot (cascade/ru.zone via
raw.githubusercontent) -> local last-good, so a fresh server where
ipdeny is blocked still brings the cascade up instead of hard-failing.
Add cascade/ru.zone (ipdeny ru-aggregated snapshot, 2026-07-06, 8626
networks) + cascade/README.md with attribution and refresh steps.
Also clean the temp list file via a trap on exit.
* Release v5.18.4: cascade offline fallback + onlink route retry
Bump version to 5.18.4 across the 6 scripts, refresh the 4 helper SHA
pins, bump the pinned install URLs and the version badge, and add the
changelog entry (RU + EN).
Cumulative since v5.18.3: bundled cascade/ru.zone snapshot as an offline
fallback for awg-routing.sh, onlink route retry for out-of-subnet-gateway
VPS (#158), DeepWiki wiki.json + badge (#161), CI setup-qemu 4.1 -> 4.2 (#157).
Steer DeepWiki generation toward the current 2026 feature set
(Debian/Ubuntu 25.10/26.04/ARM, cascade, MSS clamp, expiry, mobile
DPI) and the current default routing, so the auto-generated wiki and
the LLMs that cite it stop reflecting the stale January 2026 snapshot.
repo_notes only (no pages) to keep full automatic page coverage.
Add an "Ask DeepWiki" badge to both READMEs pointing at the canonical
bivlked wiki URL.
Fix awg-routing.sh failing with 'Nexthop has invalid gateway' on VPS whose default gateway is outside the server subnet (e.g. Hetzner /32). Retry the AWG1 host route with onlink; clarify the guide prose (public /32 + private gateway works via onlink vs genuine provider NAT). RU + EN. Reported in discussion #120.
Set DPkg::Lock::Timeout at the start of step 1 so every apt call waits for the first-boot dpkg lock (held by unattended-upgrades) instead of failing, plus a retry after dpkg --configure -a with an actionable error. Release v5.18.2: version bump across all scripts, recomputed SHA pins, CHANGELOG RU and EN, refreshed pinned doc tags.
* docs: troubleshooting for AmneziaWG handshake mismatch and cascade upload asymmetry
- ADVANCED.md/.en.md: new Troubleshooting block for when the AmneziaWG handshake never completes while plain WireGuard works on the same server (obfuscation/version mismatch; compare [Interface] params byte-for-byte + awg --version; cross-links to client compatibility and the S3/S4 FAQ)
- CASCADE.md/.en.md: diagnostics bullet for upload-slow/download-fine on a cascade (a healthy download localizes the choke to the AWG0->AWG1 leg, not MTU or CPU; directional iperf3 test)
* docs: say AmneziaWG 2.0 in the handshake troubleshooting body to separate it from the older protocol (summary kept as the bare search term for SEO)
Bug-fix release. Four fixes plus documentation.
- install --force --port=N now changes the server port (was silently ignored: the render re-read the old ListenPort).
- full-tunnel clients get 0.0.0.0/0, ::/0 so AmneziaVPN on iOS accepts the all-traffic mode; manage regen upgrades non-customized clients too.
- default client DNS is now the 1.1.1.1, 1.0.0.1 pair.
- --port accepts ports 1-65535 (was 1024-65535) so 443/80/53 work for DPI evasion on mobile carriers.
Docs: CHANGELOG, S3/S4 range fix, stale issue link cleanup, Ubuntu 26.04 in the subtitle, --force re-run FAQ, a mobile-port note.
Live-tested on Debian 13 (x86_64) and Ubuntu 26.04 (ARM64, native IPv6).
Wire all five CPS special-junk params I1-I5 from the server awg0.conf into client configs (.conf, QR, vpn://). Previously only I1 reached clients; I2-I5 were hard-coded empty and undeliverable. Scope = variant 1 of #71: the admin sets I2-I5 in awg0.conf and manage regen distributes them; no new CLI flags. RU/EN in lockstep, SHA pins recomputed, docs (ADVANCED/ROADMAP/CHANGELOG RU+EN), new bats coverage. Release v5.18.0.
A field report (#138) hit Error: Nexthop has invalid gateway on a VPS behind provider NAT (/32 address with a private on-link-less gateway). Add a prerequisite in What you need and a Troubleshooting entry with the quick check. RU + EN, docs-only.
Add an ADVANCED section on active probing (in-protocol CPS + whitelisted port, with an honest boundary on where a separate responding proxy goes further) and an IPv4-only IPv6 caveat. Docs-only, no behavior change.
Add an automatic TCPMSS --set-mss rule (mangle FORWARD, both directions, SYN only) to the server PostUp/PostDown, derived from AWG_MTU (1240 v4 / 1220 v6), fixing the PMTU blackhole on mobile/double-NAT/cascade paths. Ships v5.17.0 with tests, SHA pins, CHANGELOG and docs. Smoke-tested on x86_64 and ARM64 (IPv4 + IPv6).
wiresock/amneziawg-install grew into a wider stack (bash installer +
optional native web panel + optional Rust obfuscation proxy). Update the
similar-tools row and add an honest routing bullet: route active-probing
resistance to their proxy (server-side masking works with any standard
client, full bidirectional pairs with their commercial WireSock Secure
Connect), while keeping our angle - in-protocol I1-I5/CPS obfuscation
aimed at typical mobile DPI, no separate proxy daemon, no paid client.
RU and EN symmetric.
* docs(cascade): troubleshooting note on Google/YouTube geo-routing
Google and YouTube cache (GGC) and CDN nodes hosted on Russian IPs land
in the RU ipset, so the cascade routes them direct via the entry and
Google sees a Russian source IP: YouTube buffering, Google Play not
loading apps, Russian regional results despite a foreign exit. Add a
troubleshooting bullet (RU + EN) with the cause and the fix (route the
Google/YouTube prefixes out the foreign exit, marked before RETURN).
* docs(cascade): clarify Google fix - GGC caches live in ISP networks
AS15169 alone misses Google Global Cache nodes, which often sit in ISP
networks. Reword the fix so it points to the full set of Google/YouTube
networks, not just AS15169 (second-opinion review).
Add three evergreen themes to Recently shipped / Уже сделано (RU+EN):
security and reliability hardening, correct iOS behavior in the default
routing mode, and the companion guides (official-app comparison and the
two-server cascade). Keeps the page theme-based, not a dated changelog.
iOS: mode 2 (the default) built an AllowedIPs list starting with 0.0.0.0/5,
which covers the reserved 0.0.0.0/8. The iOS kernel chokes on that block and
never reaches the rest of the routes, so the tunnel comes up and then stalls
about 10 seconds later (easy to mistake for DPI). Split the first range into
1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6 (the same coverage without the zero block),
which keeps split tunnel intact. Reported and fixed by @LiaNdrY (#42). Adds a
structural bats guard against reverting to 0.0.0.0/5.
Also in this release:
- ci: drop the path filter on the ShellCheck required check so docs-only PRs
no longer block on a status that never runs
- docs: add an iOS FAQ entry (README and ADVANCED, RU + EN); correct the
cascade guide (default endpoint port 39743 instead of 51820, the
awg-routing.service unit instead of a nonexistent after-awg1.conf drop-in,
and a duplicated step 1 paragraph); fix audit nits (a duplicated pointer in
ADVANCED.en.md, README install-link anchor parity, INSTALL_VPS wording)
- list 30d in the --expires error message to match --help
- bump the version to 5.16.1 across all six scripts, refresh the four helper
SHA pins, and update both changelogs
Add a step-by-step bilingual guide for a two-server cascade: clients connect
to an entry server, Russian traffic exits directly, the rest goes through a
foreign exit server. Includes a verified idempotent routing script, a systemd
oneshot for boot persistence, verification steps and troubleshooting.
Cross-linked from README and ADVANCED. Scheme based on the show-and-tell by
@glfenix in discussion #120.
Link the GitHub Pages site from the badge row (language-matched: RU README to
the RU homepage, EN README to the EN homepage). The README had no link to the
site before.
Add a short cross-link to the standalone comparison page at the end of the
how-it-differs section in README (RU and EN). Also correct the ADVANCED FAQ
wording: the page is a structured comparison, not a walkthrough with examples.
Add a how-it-differs section to README (RU and EN), an ADVANCED FAQ entry,
and a short note in INSTALL_VPS. Covers the no-Docker kernel-module approach,
whole-server tuning and hardening, and obfuscation fine-tuning, and links to
the new comparison page on the project site.
The transparency block (added in #116) understated two things:
- Packages: it only mentioned snapd/modemmanager, but the cleanup also
purges unattended-upgrades, networkd-dispatcher, packagekit, udisks2
(and lxd-agent-loader on Ubuntu), plus cloud-init when it does not
manage the network. Name the high-impact ones (unattended-upgrades,
cloud-init) and link to ADVANCED for the full list, which already
enumerates every removed package.
- Rollback: it promised uninstall removes all firewall rules. In fact
the SSH rate-limit rule the installer adds is left in place when UFW
was already active before install (only the VPN-port and awg0 route
rules are deleted, and UFW is disabled only if the installer enabled
it). Spell this out in the README and in the ADVANCED UFW FAQ.
README and ADVANCED, RU and EN in sync.
* ci(docs-check): guard against installer wget snippets missing -O
Adds check #10 to check-docs-consistency.sh: any wget that downloads
install_amneziawg*.sh from a raw URL must pin the output name with -O
(or --output-document). Bare 'wget <url>' writes install_amneziawg.sh.1
on a re-run, so the follow-up chmod/bash runs the stale first copy; the
worst case is the update flow with --force. Detection is two-step (line
calls wget on the installer URL and lacks -O), so 'wget -q <url>' is
caught too, while 'wget -O- url | bash' and curl alternatives are not
flagged. Locks in the fix from #114.
* test: expect 11 docs-check checks after the wget -O guard
check-docs-consistency.sh now runs 11 checks (added #10, the installer
wget -O guard), so the two structural assertions on the summary line
move from '10 passed' to '11 passed'.
Bare 'wget <url>' writes install_amneziawg.sh.1 on a second run, so a
follow-up 'chmod +x install_amneziawg.sh && bash install_amneziawg.sh'
silently runs the stale first copy. Worst case is the Update flow in
INSTALL_VPS.md, where an older script is always present and the user
ends up reinstalling the old version with --force. Pin the output name
with -O in every install/update snippet (RU + EN), matching the wget -O
pattern already used in the FAQ recovery block.
- Add a one-line star call-to-action at the bottom of both READMEs.
- Add two GitHub discussion form templates (Q&A help, Show-and-tell
setup and field report) to structure community input.
- Cross-link the docs hub: ADVANCED now points to INSTALL_VPS, and the
INSTALL_VPS related-reading list points back to README, so README,
ADVANCED and INSTALL_VPS all reference each other.
A compact 4-row table right after Quick Start routes visitors by their
situation to the right path: nothing extra for a plain cheap VPS,
--preset=mobile at install time for mobile/DPI networks, automatic ARM
kernel modules for Raspberry Pi / Ampere, and manage add --expires for
time-limited guests. RU and EN symmetric.
Add wiresock to the similar-tools comparison with an honest differential
(a CLI installer with an optional native web panel), reframe the section
around buyer questions, and add a "when this is not your best fit" block.
Note that an always-on web panel is extra service, port and resource cost
that only pays off when you rotate clients often, not on a set-and-forget
box.
Switch the license badge from the dynamic shields github endpoint to a
static MIT badge; the dynamic one intermittently fails with shields token
pool exhaustion.
* docs(readme): bilingual SEO above-fold, Quick Start above nav, trim badges
- Add an English H1 with install intent to the RU-primary README and the EN mirror so the indexed landing page carries English search weight.
- Add bilingual taglines and a counter-USP line (in-kernel, no Docker or web panel, single-purpose server, set-and-forget, QR or vpn:// one-tap import).
- Move Quick Start above the navigation so the one-command install is visible before the table of contents; add what-it-does, add-client and scope notes.
- Trim badges from 14 to 9 (drop Status and three redundant CI badges; keep compatibility, license, version, tests, stars and last-commit).
- Enrich the intro with the single-purpose tuning and set-and-forget value points.
* docs(readme): convert legacy em-dashes to hyphen-minus (style only)
Mechanical character replacement of em-dash and en-dash with hyphen-minus across both README files. No content changes. Aligns the flagship pages with the project punctuation rule.
* docs(readme): accuracy and usability polish
- Soften the absolute DPI claim to an accurate framing (hard to distinguish; works where plain WireGuard is detected and blocked).
- Add honest caveats: speed overhead in typical tests, carrier list as user reports not a guarantee, hosting price may change.
- Align server RAM to 1 GB across the comparison and requirements (drop the inconsistent 512 MB figure).
- Note the manage script next to 'no GUI' so the CLI does not read as unmanaged.
- Add a neutral 'what to look for in a VPS' checklist before the hosting recommendation.
- Split the management command table into everyday and maintenance/recovery; add a short FAQ orientation line.
* docs: reconcile RAM spec, fix dead link, align DPI wording
- Reconcile server RAM to '512 MB minimum, 1 GB recommended' across README (comparison table, requirements, FAQ) and INSTALL_VPS TL;DR.
- Fix a dead Related-reading link in INSTALL_VPS (Hetzner tutorial returned 404; point to the live tutorial that references this installer).
- Align the DPI wording in the comparison table with the softened intro (hard to fingerprint, not absolute 'undetectable').
A hardening and quality release that finalizes two accumulated workstreams.
Code-audit hardening (manage/awg_common/install):
- modify validates DNS as real IPv4/IPv6; octet-range check on the detected public IP
- --expires validated before client creation; --psk fails closed
- atomic .vpnuri and QR writes via the shared safe-temp helper; one shared client-artifact cleanup
- content-aware expiry cron; restore guards for an empty server/clients backup
- INT/TERM abort the script with exit 130/143 instead of falling through
Machine-readable status (additive, backward-compatible):
- list --json and stats --json also emit a stable status_code enum
(active | recent | inactive | no_handshake | key_error | no_data);
the localized status field is kept
Docs and process:
- accurate CLI help (--endpoint FQDN/IPv4/[IPv6], --no-tweaks note), README diagnose/repair-module rows
- ARM coverage for Ubuntu 26.04 (DKMS); docs-check enforces the OS x arch x prebuilt-target matrix
- CI badges, signing-doc cleanup, clearer issue/PR templates
Release mechanics: version and date bumped to 5.15.6 across the six scripts,
helper SHA pins recomputed, CHANGELOG (RU + EN) updated, pinned raw-URL tags and
README badges bumped. Default install behavior and the support matrix are unchanged.
Bump version to 5.15.5 across the 4 versioned scripts and 6 headers,
recompute the 4 helper SHA pins, add CHANGELOG entries (RU + EN) and
the comparator links, bump the version badge and the pinned raw-URL
tags in README/ADVANCED/INSTALL_VPS.
The fail2ban fix itself landed in 8eb24d1 (PR #106).
Minimal Ubuntu 24.04 images ship without rsyslog, so /var/log/auth.log does not exist and the sshd jail with backend=auto fails to start ("Have not found any log file for sshd jail"). Use backend=systemd on Ubuntu as well - Debian has been on it since the Discussion #39 fix.
Also check the real service state with `systemctl is-active` after restart: `systemctl restart fail2ban` returns 0 even when fail2ban-server dies right after start, so the installer used to report success on a crashed service.
Tested by the author on a clean Ubuntu 24.04.4 VPS. RU and EN installers updated in sync.
Docs + housekeeping release. Adds an ADVANCED section on host blocking by autonomous system (AS) and the I1/CPS QUIC-mimicry workaround. Converts two bats test names to ASCII so the full 790-check suite runs on Windows. Version bump, SHA pins and CHANGELOG (RU+EN). No install behavior changes.
Hardening release after four rounds of external code and documentation audits: installer input validators brought to canonical parity, manage restore/modify correctness fixes, atomic file operations, reproducible ARM builds with a pinned module ref and build manifest, bilingual release notes built by release.yml, an 8x faster Unicode-aware docs consistency check, and documentation accuracy fixes across README, INSTALL_VPS, ADVANCED, RELEASE_PROCESS and the Code of Conduct. Test suite grows to 788 checks; live-tested on clean Ubuntu 24.04 x86_64, Ubuntu 26.04 ARM64 and Debian 13 VPSes including real cross-continent AWG 2.0 handshakes.
The pinned raw.githubusercontent.com install and update commands in README,
README.en, ADVANCED, ADVANCED.en and INSTALL_VPS were left on the previous
tag (v5.15.0), so copying a command from the docs downloaded the previous
release instead of the current one. Bump all 31 user-facing pinned URLs to
the release tag. Feature-introduction markers like "(v5.15.0+)" are left
unchanged, and historical CHANGELOG links are not touched.
Version lockstep to 5.15.2: SCRIPT_VERSION in the four install/manage
scripts, the version header in all six scripts, the README version badges,
and the four helper-script SHA256 pins (the header bump changes the helper
bytes, so the pins are recomputed).
Add a regression check to scripts/check-docs-consistency.sh: every pinned
raw-URL tag in README/ADVANCED/INSTALL_VPS must match SCRIPT_VERSION
(CHANGELOG excluded, its tags are historical). This is what would have caught
the stale URLs, and the release preflight gate already runs this check.
CHANGELOG entries added to both languages.
Co-authored-by: Ivan Bondarev <ndt.ltd.pvl@gmail.com>
Maintenance release after external code and documentation audits. No new
features; hardens the v5.15.0 dual-stack IPv6 work, tightens several manage
commands, fixes correctness and robustness issues, and adds a release
preflight gate plus a docs-consistency check.
Behavior change: split tunnel + IPv6 mirrors the IPv4 intent - a custom
ALLOWED_IPS keeps that IPv4 split and adds only the tunnel ULA for IPv6
instead of forcing a full ::/0 route. A full tunnel still gets ::/0 (native
IPv6) or the ULA.
Fixed: vpn:// URI carries the server's real MTU/keepalive/DNS; stricter
native-IPv6 detection (global non-ULA address and default route) with the
host IPv6 stack re-enabled before detection; install fails fast on apt update
errors; manage modify validates Endpoint/AllowedIPs; manage add is safe
against name reuse and cleans partial artifacts; manage restore prunes stale
clients/keys and recreates the expiry dir; manage help exit codes; manage
--json keeps stdout pure JSON; log messages stop doubling percent signs.
Docs/process: subnet and OS help accuracy, list --json documented, changelog
compare-links and anchors restored, SECURITY/CONTRIBUTING refreshed, public
RELEASE_PROCESS.md, release publish gated behind a full preflight job, new
docs-consistency workflow, signing design aligned with the asset draft.
Version bumped to 5.15.1 across all six scripts; SHA pins recomputed.
Optional dual-stack IPv6 inside the AmneziaWG tunnel via --allow-ipv6-tunnel
(request #24). Off by default; without the flag behavior is identical to v5.14.x.
- server dual-stack [Interface] + ip6tables MASQUERADE
- IPv6 client allocation, dual-stack client config + vpn:// URI
- manage list/regen dual-stack aware
- native-IPv6 detection: full ::/0 route with native IPv6, tunnel-subnet-only
without it (no black hole)
- release tooling: scripts/update-sha-pins.sh, scripts/preflight-check.sh,
SHA-lockstep test
- bilingual docs (CHANGELOG, ADVANCED, README, INSTALL_VPS)
Tested: full bats suite plus live VPS on ARM64 / Ubuntu 26.04 (native IPv6)
and x86_64 / Debian 13 (no native IPv6); cross-host IPv4 and IPv6 confirmed
through the tunnel.
New RU+EN entry in the detailed troubleshooting section: the handshake
completes once, then the established flow is cut by in-path DPI (TSPU in
Russia) that filters by host IP/AS. Documents the awg show asymmetry
signature (tens of KiB sent, a couple of KiB received, latest handshake
never refreshes) and how to tell it apart from a server config issue.
Hetzner (AS24940) is consistently affected from my measurements; OVH, AWS,
Azure are a risk zone. Remedies: test from another network, move to a host
with clean IPs (links to the Hosting recommendation), or front with a relay.
Co-authored-by: Ivan Bondarev <ndt.ltd.pvl@gmail.com>
Adds detect_ssh_ports() resolving the real SSH port from --ssh-port, sshd -T (Port + ListenAddress), ss sockets, sshd_config, then 22. Both UFW branches open every detected port; new --ssh-port flag; v5.14.5 bump + SHA256 pins + bilingual changelog. Live-tested on Ubuntu 24.04 (x86_64) and Ubuntu 26.04 (ARM64): no lockout.
setup_improved_firewall returned 1 when the user answered N to the
"Enable UFW?" prompt, and the caller treats a non-zero return as fatal,
so a valid "no firewall" choice (the prompt defaults to N) stopped the
whole install. Return 0 on decline instead: the UFW rules stay staged,
the firewall is left inactive, the install proceeds, and the log shows
how to enable it later (sudo ufw enable). The --yes path is unchanged.
- install_amneziawg.sh / _en.sh: decline branch returns 0 + two warn lines
- version bump 5.14.3 -> 5.14.4 across the four versioned scripts + awg_common
- refreshed COMMON/MANAGE SHA256 pins (RU + EN)
- tests/test_v5144_ufw_optional.bats: 6 tests covering decline/accept/--yes, RU+EN
@jay0x reported on a clean Ubuntu 26.04 server installed from the
subiquity ISO inside VirtualBox: after running the installer the box
lost its IP address after reboot. Root cause: cleanup_system() called
`apt-get autoremove` after `apt-get purge cloud-init`, and on subiquity
installs there are no cloud-init markers in /etc/netplan, so the
purge path activates. The autoremove then cascaded into removing
netplan-generator as a transitive cloud-init dependency, leaving the
subiquity-written 00-installer-config.yaml without anything to render
it into /run/systemd/network, so systemd-networkd booted with empty
config and DHCP did nothing.
cleanup_system() changes:
- Drop the apt-get autoremove call entirely. Orphan packages take
~50-200 MB; that is acceptable in exchange for not breaking the net
stack. Users can run `apt-get autoremove --no-install-recommends`
manually if they care.
- Snapshot the user's existing apt-mark holds via `apt-mark showhold`
before adding our own holds, and only release the holds we placed.
This avoids stripping a user-managed hold on something like
linux-image-*.
- apt-mark hold netplan.io / netplan-generator / systemd-resolved /
netcfg / ifupdown for the duration of the purge run, so transitive
removal cannot touch them. systemd-networkd is not a standalone
package on Ubuntu 24+ (the binary lives inside systemd), so it is
intentionally NOT in the hold list.
- Snapshot the default route before cleanup. If after cleanup the
route is empty but the snapshot wasn't, attempt recovery: reinstall
netplan.io unconditionally, gate netplan-generator behind
`apt-cache show netplan-generator` (Debian 12 does not ship that
package and `apt install` would abort the transaction), restart
systemd-networkd, run netplan apply, then poll the route every 1-5
seconds for up to ~26 seconds (fixed sleeps are unreliable on slow
VMs). On failure, last-ditch: parse the iface from the snapshot,
bring it up with `ip link set <iface> up`, try `networkctl renew`
with a route re-check, then `dhclient -4` if the route is still
missing. Only after all of that fails does the installer die with
a hint to restore the network from the console and retry with
--no-tweaks.
check_os_version() now whitelists Ubuntu 26.04 alongside 24.04 and
25.10. Previously 26.04 fell into the warning branch with an interactive
prompt and only passed automatically when --yes was set. The release
is tested on 26.04 server in VirtualBox after this fix.
+14 bats tests in test_v5143_cleanup_no_autoremove.bats covering the
no-autoremove guarantee, hold list (without systemd-networkd), pre-
existing hold preservation, default-route recovery with apt-cache
gate, last-ditch networkctl + dhclient sequential fallback, die path
on total failure, cloud-init guard regression, and RU/EN structural
parity.
SCRIPT_VERSION and header dates bumped 5.14.2 to 5.14.3 across the
four versioned scripts. SHA256 pins for awg_common.sh and
manage_amneziawg.sh refreshed in both install scripts.
Thanks to @jay0x for the detailed repro with dpkg, journalctl, and
ls /etc/netplan/ output.