netbirdio · spikeyspik · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,8 +1,8 @@
-FROM golang:1.23-bullseye
+FROM golang:1.24-bullseye
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && apt-get -y install --no-install-recommends\
-        gettext-base=0.21-4 \ 
+        gettext-base=0.21-4 \
         iptables=1.8.7-1 \
         libgl1-mesa-dev=20.3.5-1 \
         xorg-dev=1:7.7+22 \

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -7,7 +7,7 @@
 	"features": {
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
 		"ghcr.io/devcontainers/features/go:1": {
-			"version": "1.23"
+          "version": "1.24.4"
 		}
 	},
 	"workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
@@ -17,4 +17,4 @@
 		"SYS_RESOURCE"
 	],
 	"privileged": true
-}
+}
diff --git a/client/embed/embed.go b/client/embed/embed.go
@@ -11,8 +11,8 @@ import (
 	"os"
 	"sync"
 
+	wgnetstack "github.com/amnezia-vpn/amneziawg-go/tun/netstack"
 	"github.com/sirupsen/logrus"
-	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"

diff --git a/client/firewall/iface.go b/client/firewall/iface.go
@@ -1,7 +1,7 @@
 package firewall
 
 import (
-	wgdevice "golang.zx2c4.com/wireguard/device"
+	wgdevice "github.com/amnezia-vpn/amneziawg-go/device"
 
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"

diff --git a/client/firewall/uspfilter/common/iface.go b/client/firewall/uspfilter/common/iface.go
@@ -1,7 +1,7 @@
 package common
 
 import (
-	wgdevice "golang.zx2c4.com/wireguard/device"
+	wgdevice "github.com/amnezia-vpn/amneziawg-go/device"
 
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"

diff --git a/client/firewall/uspfilter/filter_filter_test.go b/client/firewall/uspfilter/filter_filter_test.go
@@ -5,11 +5,11 @@ import (
 	"net/netip"
 	"testing"
 
+	wgdevice "github.com/amnezia-vpn/amneziawg-go/device"
 	"github.com/golang/mock/gomock"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/require"
-	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/device"

diff --git a/client/firewall/uspfilter/filter_test.go b/client/firewall/uspfilter/filter_test.go
@@ -8,11 +8,11 @@ import (
 	"testing"
 	"time"
 
+	wgdevice "github.com/amnezia-vpn/amneziawg-go/device"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"
-	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"

diff --git a/client/firewall/uspfilter/forwarder/endpoint.go b/client/firewall/uspfilter/forwarder/endpoint.go
@@ -3,7 +3,7 @@ package forwarder
 import (
 	"fmt"
 
-	wgdevice "golang.zx2c4.com/wireguard/device"
+	wgdevice "github.com/amnezia-vpn/amneziawg-go/device"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"

diff --git a/client/iface/bind/control.go b/client/iface/bind/control.go
@@ -1,7 +1,7 @@
 package bind
 
 import (
-	wireguard "golang.zx2c4.com/wireguard/conn"
+	wireguard "github.com/amnezia-vpn/amneziawg-go/conn"
 
 	nbnet "github.com/netbirdio/netbird/client/net"
 )

diff --git a/client/iface/bind/endpoint.go b/client/iface/bind/endpoint.go
@@ -3,7 +3,7 @@ package bind
 import (
 	"net"
 
-	wgConn "golang.zx2c4.com/wireguard/conn"
+	wgConn "github.com/amnezia-vpn/amneziawg-go/conn"
 )
 
 type Endpoint = wgConn.StdNetEndpoint

diff --git a/client/iface/bind/ice_bind.go b/client/iface/bind/ice_bind.go
@@ -11,12 +11,12 @@ import (
 	"runtime"
 	"sync"
 
+	wgConn "github.com/amnezia-vpn/amneziawg-go/conn"
 	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/ipv4"
 	"golang.org/x/net/ipv6"
-	wgConn "golang.zx2c4.com/wireguard/conn"
 
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"

diff --git a/client/iface/bind/relay_bind.go b/client/iface/bind/relay_bind.go
@@ -6,8 +6,8 @@ import (
 	"net/netip"
 	"sync"
 
+	"github.com/amnezia-vpn/amneziawg-go/conn"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
 
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 )

diff --git a/client/iface/configurer/amnezia_config.go b/client/iface/configurer/amnezia_config.go
@@ -0,0 +1,21 @@
+package configurer
+
+// AmneziaConfig describes AmneziaWG obfuscation parameters.
+// If nil or all fields are zero, it behaves as standard WireGuard.
+type AmneziaConfig interface {
+	IsEmpty() bool
+	GetJc() int32
+	GetJmin() int32
+	GetJmax() int32
+	GetS1() int32
+	GetS2() int32
+	GetH1() uint32
+	GetH2() uint32
+	GetH3() uint32
+	GetH4() uint32
+	GetI1() string
+	GetI2() string
+	GetI3() string
+	GetI4() string
+	GetI5() string
+}
diff --git a/client/iface/configurer/uapi.go b/client/iface/configurer/uapi.go
@@ -5,8 +5,8 @@ package configurer
 import (
 	"net"
 
+	"github.com/amnezia-vpn/amneziawg-go/ipc"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/ipc"
 )
 
 func openUAPI(deviceName string) (net.Listener, error) {

diff --git a/client/iface/configurer/uapi_windows.go b/client/iface/configurer/uapi_windows.go
@@ -3,7 +3,7 @@ package configurer
 import (
 	"net"
 
-	"golang.zx2c4.com/wireguard/ipc"
+	"github.com/amnezia-vpn/amneziawg-go/ipc"
 )
 
 func openUAPI(deviceName string) (net.Listener, error) {

diff --git a/client/iface/configurer/usp.go b/client/iface/configurer/usp.go
@@ -12,8 +12,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/amnezia-vpn/amneziawg-go/device"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -41,15 +41,17 @@ type WGUSPConfigurer struct {
 	device           *device.Device
 	deviceName       string
 	activityRecorder *bind.ActivityRecorder
+	amneziaConfig    AmneziaConfig
 
 	uapiListener net.Listener
 }
 
-func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
+func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder, amneziaConfig AmneziaConfig) *WGUSPConfigurer {
 	wgCfg := &WGUSPConfigurer{
 		device:           device,
 		deviceName:       deviceName,
 		activityRecorder: activityRecorder,
+		amneziaConfig:    amneziaConfig,
 	}
 	wgCfg.startUAPI()
 	return wgCfg
@@ -69,7 +71,7 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 		ListenPort:   &port,
 	}
 
-	return c.device.IpcSet(toWgUserspaceString(config))
+	return c.device.IpcSet(c.toWgUserspaceString(config))
 }
 
 func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
@@ -91,7 +93,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
+	if ipcErr := c.device.IpcSet(c.toWgUserspaceString(config)); ipcErr != nil {
 		return ipcErr
 	}
 
@@ -145,7 +147,7 @@ func (c *WGUSPConfigurer) RemoveEndpointAddress(peerKey string) error {
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
+	if ipcErr := c.device.IpcSet(c.toWgUserspaceString(config)); ipcErr != nil {
 		return fmt.Errorf("failed to remove peer: %s", ipcErr)
 	}
 
@@ -160,7 +162,7 @@ func (c *WGUSPConfigurer) RemoveEndpointAddress(peerKey string) error {
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	if err := c.device.IpcSet(toWgUserspaceString(config)); err != nil {
+	if err := c.device.IpcSet(c.toWgUserspaceString(config)); err != nil {
 		return fmt.Errorf("remove endpoint address: %w", err)
 	}
 
@@ -181,7 +183,7 @@ func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	ipcErr := c.device.IpcSet(toWgUserspaceString(config))
+	ipcErr := c.device.IpcSet(c.toWgUserspaceString(config))
 
 	c.activityRecorder.Remove(peerKey)
 	return ipcErr
@@ -208,7 +210,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	return c.device.IpcSet(toWgUserspaceString(config))
+	return c.device.IpcSet(c.toWgUserspaceString(config))
 }
 
 func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
@@ -273,7 +275,7 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	return c.device.IpcSet(toWgUserspaceString(config))
+	return c.device.IpcSet(c.toWgUserspaceString(config))
 }
 
 func (c *WGUSPConfigurer) FullStats() (*Stats, error) {
@@ -399,11 +401,17 @@ func parseTransfers(ipc string) (map[string]WGStats, error) {
 	return stats, nil
 }
 
-func toWgUserspaceString(wgCfg wgtypes.Config) string {
+func (c *WGUSPConfigurer) toWgUserspaceString(wgCfg wgtypes.Config) string {
 	var sb strings.Builder
 	if wgCfg.PrivateKey != nil {
 		hexKey := hex.EncodeToString(wgCfg.PrivateKey[:])
 		sb.WriteString(fmt.Sprintf("private_key=%s\n", hexKey))
+
+		// Write AmneziaWG settings only if config is not empty
+		// If nil or empty, acts as standard WireGuard
+		if !c.amneziaConfig.IsEmpty() {
+			writeAmneziaWgSettings(sb, c.amneziaConfig)
+		}
 	}
 
 	if wgCfg.ListenPort != nil {
@@ -450,6 +458,53 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 	return sb.String()
 }
 
+func writeAmneziaWgSettings(sb strings.Builder, conf AmneziaConfig) {
+
+	if val := conf.GetJc(); val > 0 {
+		sb.WriteString(fmt.Sprintf("jc=%d\n", val))
+	}
+	if val := conf.GetJmin(); val > 0 {
+		sb.WriteString(fmt.Sprintf("jmin=%d\n", val))
+	}
+	if val := conf.GetJmax(); val > 0 {
+		sb.WriteString(fmt.Sprintf("jmax=%d\n", val))
+	}
+	if val := conf.GetS1(); val > 0 {
+		sb.WriteString(fmt.Sprintf("s1=%d\n", val))
+	}
+	if val := conf.GetS2(); val > 0 {
+		sb.WriteString(fmt.Sprintf("s2=%d\n", val))
+	}
+	if val := conf.GetH1(); val > 0 {
+		sb.WriteString(fmt.Sprintf("h1=%d\n", val))
+	}
+	if val := conf.GetH2(); val > 0 {
+		sb.WriteString(fmt.Sprintf("h2=%d\n", val))
+	}
+	if val := conf.GetH3(); val > 0 {
+		sb.WriteString(fmt.Sprintf("h3=%d\n", val))
+	}
+	if val := conf.GetH4(); val > 0 {
+		sb.WriteString(fmt.Sprintf("h4=%d\n", val))
+	}
+	if val := conf.GetI1(); val != "" {
+		sb.WriteString(fmt.Sprintf("i1=%s\n", val))
+	}
+	if val := conf.GetI2(); val != "" {
+		sb.WriteString(fmt.Sprintf("i2=%s\n", val))
+	}
+	if val := conf.GetI3(); val != "" {
+		sb.WriteString(fmt.Sprintf("i3=%s\n", val))
+	}
+	if val := conf.GetI4(); val != "" {
+		sb.WriteString(fmt.Sprintf("i4=%s\n", val))
+	}
+	if val := conf.GetI5(); val != "" {
+		sb.WriteString(fmt.Sprintf("i5=%s\n", val))
+	}
+
+}
+
 func toLastHandshake(stringVar string) (time.Time, error) {
 	sec, err := strconv.ParseInt(stringVar, 10, 64)
 	if err != nil {

diff --git a/client/iface/device.go b/client/iface/device.go
@@ -3,9 +3,9 @@
 package iface
 
 import (
-	"golang.zx2c4.com/wireguard/tun/netstack"
+	"github.com/amnezia-vpn/amneziawg-go/tun/netstack"
 
-	wgdevice "golang.zx2c4.com/wireguard/device"
+	wgdevice "github.com/amnezia-vpn/amneziawg-go/device"
 
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/udpmux"