OPNsense Forum

https://docs.amnezia.org/documentation/amnezia-wg/


This is even better than regular Wireguard. I'm really looking forward to its support!

Well, it was added and then quickly removed from freebsd:

https://www.freshports.org/net/amneziawg-tools/

https://reviews.freebsd.org/D51265

Not a good start.

Well, they removed it just to rename the whole thing without "wg" in the name.
Port is available:

https://www.freshports.org/net/amnezia-tools/ (https://www.freshports.org/net/amnezia-tools/)
https://www.freshports.org/net/amnezia-kmod/ (https://www.freshports.org/net/amnezia-kmod/)

Can it be supported in OPNsense?

What should be the scope of "supported in OPNsense"?

As soon as a port exists, you are free to pull the port (e.g. from github) and build the binary via "make build".

Do you mean like offering a prebuilt binary via the package manager? Or even a plugin?

The last two things need somebody who makes an effort.

What about: https://github.com/antspopov/opnsense_amnezia_plugin (I am not afflifiated with this repo) ? Does it look complete?

Whats the benefit of such a wireguard implementation, wouldnt it be better to use something protocol agnostic that can tunnel any protocol through a websocket like:

https://github.com/erebe/wstunnel

https://github.com/erebe/wstunnel?tab=readme-ov-file#wireguard-and-wstunnel-

Did you manage to get AmneziaWG plug-in installed and working? Curious to know of it is working well.

Quote from: haemm0r on October 29, 2025, 08:59:48 PMWhat about: https://github.com/antspopov/opnsense_amnezia_plugin (I am not afflifiated with this repo) ? Does it look complete?

Let's hope they implement it.
Wstunnel is fine but no UI is made for it.

We need PRs for this we will not implement this ourselves.

This possibility is very exciting indeed. A WireGuard VPN protocol with features to protect it against DPI is something I can see myself having running around the clock on my Firewall.

And why don't you just use Wireguard, if you control the firewall?

As far as I understand AmneziaWG is intentionally circumventing/bypassing corporate firewall and compliance policies. As such I would strongly recommend against including it in OPNsense.

If you control OPNsense just run WG.

Quote from: Patrick M. Hausen on February 22, 2026, 10:35:20 PMAnd why don't you just use Wireguard, if you control the firewall?

Because upstream firewalls?

Think: Empire v. Alliance. :)

https://mullvad.net/en/blog/introducing-quic-obfuscation-for-wireguard

(unless I completely misread the purpose of this tool...)

Side note: really unfortunate choice for a project logo, IMO.

What upstream firewalls? If they exist there is a reason. If you live in an authoritarian country you should probably use tor. Amnezia will probably allow you to connect but it's not making you anonymous.

I will never promote circumventing a company or school or uni ... firewall.

Quote from: Patrick M. Hausen on February 23, 2026, 12:08:53 AMI will never promote circumventing a company or school or uni ... firewall.

I wasn't thinking along those lines.  I think students trying to get to TikTok on school time is different than private citizens trying to access information on theirs, but unfortunately the means are the same.

I also don't see the point. If you need obfuscated internet access for legitimate reasons, you'd better use TOR.

Maybe I misinterpreted the link in the OP?

The things it discusses seem to have more to do with punching through for access purposes (avoiding VPN blocks) rather than anonymity.  Tor is solving a different problem, no?

Yes, but in which scenario would you legitimately need to punch holes through a firewall that not also asks for anonymity?

Either when fear of repercussion is low (no real consequence of getting around a block) or in high numbers (a country in revolution/protest all accessing information together).  In some cases I guess getting information can be more important than hiding the fact, especially if Tor can be blocked.

In typical situations, I think I agree with you.  Most casual VPN users probably desire some level of anonymity or at least blocking data collection from a network operator (maybe some people are employed by their ISP, for example).

I'm reaching a bit here, but I'm trying :)

Quote from: OPNenthu on February 23, 2026, 12:16:05 PMMost casual VPN users probably desire some level of anonymity or at least blocking data collection from a network operator

The funny thing is that at least in the EU your ISP is way more trustworthy than any so called "VPN provider". With a commercial "VPN" you hand all your communication metadata to a single entity, frequently a company located not in the EU. While your ISP is bound by GDPR and strong consumer protection laws and all hell will break loose should they ever get caught sniffing.

For me a VPN is something where I control both ends. Hence the quotes (") above.

Quote from: Patrick M. Hausen on February 23, 2026, 12:46:15 PMThe funny thing is that at least in the EU your ISP is way more trustworthy than any so called "VPN provider". With a commercial "VPN" you hand all your communication metadata to a single entity, frequently a company located not in the EU. While your ISP is bound by GDPR and strong consumer protection laws and all hell will break loose should they ever get caught sniffing.

Actually there is no right choice there :

- VPN Company = Often someone you don't really know...
Even tho I know that at least two of them are "serious bastards" when it comes to their demands when they rent their servers from a hosting company : Private Internet Access and Mullvad.
- You can't trust your ISP either because (at least in The Netherlands) they are forced to allow the Police/Government to sniff/monitor their network whenever they want...

So the only option left is maybe some Server or VPS hosted in a country your own country has no connections to and host your own VPN there... hopefully...

The whole Tor VPN thing is also one big unknown for most people so even there the question is if you can trust it...



#WeAreAllSooScrewed!!! ^_^

I would very much like to see AmneziaWG included in OPNsense. It seems like an ideal alternative to the openvpn XOR patch which is no longer supported.

Personally I need VPN obfuscation to avoid aggressive throttling when connecting to my home network from outside.

I made some comments from a project perspective here https://github.com/opnsense/tools/pull/504

I'm not opposed, but I'm missing a commitment that this is "the next best thing" since wireguard brought upon us the kernel module madness (if anyone remembers why hiring the wrong guy is not a good idea) and the fact that someone will have to write and review a plugin too. That's a big commitment/promise IMO and I think a bit late to the party...


Cheers,
Franco

Take the UAE as an example. VPN is allowed IF you use it for legitimate reasons.
The problem is that most hotels and mobile providers block VPNs.
I would see this as a fallback if standard WG isn't working.

Admins and developers who don't prioritize privacy or censorship resistance may not find this significant.

However, government and ISP censorship is intensifying not only in Russia and the EU but across many other nations as well.

I earnestly hope that os-amneziawg will be developed and implemented as an official OPNsense plugin, just like os-wireguard.

It would be better to wrap wireguard inside something that is independant from it, like wstunnel.

https://github.com/erebe/wstunnel

Everything that alters and ships wireguard directly is very inflexible and technical debt once DPIs got a hang of it too.

The more widespread and mainstream such an obfuscation technique becomes the more likely it will be blocked as well in time.

Better to be able to change the technique independantly from the tunneling protocol in the long run.

Also, wstunnel seems sponsored by an NL company.

Quote from: Lucid1010 on April 12, 2026, 06:21:10 PMAdmins and developers who don't prioritize privacy or censorship resistance may not find this significant.

Tools have a place and it's good to have options (whether in OPNsense or not), but we should be clear that resistance is a political process.  Just evading blocks isn't going to effect meaningful change.

This isn't about tools or politics.

When OpenVPN XOR patch was needed 10 years ago OpenVPN upstream declined to use the extension. FreeBSD ports maintainer reluctantly added it and tried to kill it every chance he got, too. The patch was rather small and controllable and completely optional.  You could use it from the advanced parameters found in the OpenVPN legacy GUI. We gladly kept it in OPNsense and defended it in FreeBSD ports as long as we could.

Fast forward 10 years and now we're asking:

Kernel module that can potentially crash the whole system or take it over. A toolkit to configure it. A user-space alternative that WireGuard itself abandoned years ago. And there is no plugin that was written yet... looking at the evolution of WireGuard plugin that is a lot of work to be made by someone, too.  Then somebody will drop an AI generated plugin as becoming customary nowadays. Is that really the way to go?

So I'm asking for a commitment here, because it's asking a lot of the project. WireGuard was rough (with community plugin being the first few years), NetBird and Tailscale do work but I don't particularly enjoy the complexity and the plugins IMO need a lot more work (including documentation). I just don't see that happening here and adding another hoping this one will do it will not help either.

Again, nothing against it, but it needs a committment from someone and then they are asking for a commitment on review and keeping it afloat when bugs arise from the community and us.



Cheers,
Franco

Understood and thanks, though my last post wasn't arguing for inclusion.  The arguments against are convincing enough :)

https://reviews.freebsd.org/D51265 and https://en.wikipedia.org/wiki/Talk:Amnezia_VPN are fascinating reads.


Cheers,
Franco

Indeed, thanks for those links.