https://docs.amnezia.org/documentation/amnezia-wg/
This is even better than regular Wireguard. I'm really looking forward to its support!
Well, it was added and then quickly removed from freebsd:
https://www.freshports.org/net/amneziawg-tools/
https://reviews.freebsd.org/D51265
Not a good start.
Well, they removed it just to rename the whole thing without "wg" in the name.
Port is available:
https://www.freshports.org/net/amnezia-tools/ (https://www.freshports.org/net/amnezia-tools/)
https://www.freshports.org/net/amnezia-kmod/ (https://www.freshports.org/net/amnezia-kmod/)
Can it be supported in OPNsense?
What should be the scope of "supported in OPNsense"?
As soon as a port exists, you are free to pull the port (e.g. from github) and build the binary via "make build".
Do you mean like offering a prebuilt binary via the package manager? Or even a plugin?
The last two things need somebody who makes an effort.
What about: https://github.com/antspopov/opnsense_amnezia_plugin (I am not afflifiated with this repo) ? Does it look complete?
Whats the benefit of such a wireguard implementation, wouldnt it be better to use something protocol agnostic that can tunnel any protocol through a websocket like:
https://github.com/erebe/wstunnel
https://github.com/erebe/wstunnel?tab=readme-ov-file#wireguard-and-wstunnel-
Did you manage to get AmneziaWG plug-in installed and working? Curious to know of it is working well.
Quote from: haemm0r on October 29, 2025, 08:59:48 PMWhat about: https://github.com/antspopov/opnsense_amnezia_plugin (I am not afflifiated with this repo) ? Does it look complete?
Let's hope they implement it.
Wstunnel is fine but no UI is made for it.
We need PRs for this we will not implement this ourselves.
This possibility is very exciting indeed. A WireGuard VPN protocol with features to protect it against DPI is something I can see myself having running around the clock on my Firewall.
And why don't you just use Wireguard, if you control the firewall?
As far as I understand AmneziaWG is intentionally circumventing/bypassing corporate firewall and compliance policies. As such I would strongly recommend against including it in OPNsense.
If you control OPNsense just run WG.
Quote from: Patrick M. Hausen on February 22, 2026, 10:35:20 PMAnd why don't you just use Wireguard, if you control the firewall?
Because upstream firewalls?
Think: Empire v. Alliance. :)
https://mullvad.net/en/blog/introducing-quic-obfuscation-for-wireguard
(unless I completely misread the purpose of this tool...)
Side note: really unfortunate choice for a project logo, IMO.
What upstream firewalls? If they exist there is a reason. If you live in an authoritarian country you should probably use tor. Amnezia will probably allow you to connect but it's not making you anonymous.
I will never promote circumventing a company or school or uni ... firewall.
Quote from: Patrick M. Hausen on February 23, 2026, 12:08:53 AMI will never promote circumventing a company or school or uni ... firewall.
I wasn't thinking along those lines. I think students trying to get to TikTok on school time is different than private citizens trying to access information on theirs, but unfortunately the means are the same.
I also don't see the point. If you need obfuscated internet access for legitimate reasons, you'd better use TOR.
Maybe I misinterpreted the link in the OP?
The things it discusses seem to have more to do with punching through for access purposes (avoiding VPN blocks) rather than anonymity. Tor is solving a different problem, no?
Yes, but in which scenario would you legitimately need to punch holes through a firewall that not also asks for anonymity?
Either when fear of repercussion is low (no real consequence of getting around a block) or in high numbers (a country in revolution/protest all accessing information together). In some cases I guess getting information can be more important than hiding the fact, especially if Tor can be blocked.
In typical situations, I think I agree with you. Most casual VPN users probably desire some level of anonymity or at least blocking data collection from a network operator (maybe some people are employed by their ISP, for example).
I'm reaching a bit here, but I'm trying :)
Quote from: OPNenthu on February 23, 2026, 12:16:05 PMMost casual VPN users probably desire some level of anonymity or at least blocking data collection from a network operator
The funny thing is that at least in the EU your ISP is way more trustworthy than any so called "VPN provider". With a commercial "VPN" you hand all your communication metadata to a single entity, frequently a company located not in the EU. While your ISP is bound by GDPR and strong consumer protection laws and all hell will break loose should they ever get caught sniffing.
For me a VPN is something where I control both ends. Hence the quotes (") above.
Quote from: Patrick M. Hausen on February 23, 2026, 12:46:15 PMThe funny thing is that at least in the EU your ISP is way more trustworthy than any so called "VPN provider". With a commercial "VPN" you hand all your communication metadata to a single entity, frequently a company located not in the EU. While your ISP is bound by GDPR and strong consumer protection laws and all hell will break loose should they ever get caught sniffing.
Actually there is no right choice there :
- VPN Company = Often someone you don't really know...
Even tho I know that at least two of them are "serious bastards" when it comes to their demands when they rent their servers from a hosting company : Private Internet Access and Mullvad.
- You can't trust your ISP either because (at least in The Netherlands) they are forced to allow the Police/Government to sniff/monitor their network whenever they want...
So the only option left is maybe some Server or VPS hosted in a country your own country has no connections to and host your own VPN there... hopefully...
The whole Tor VPN thing is also one big unknown for most people so even there the question is if you can trust it...
#WeAreAllSooScrewed!!! ^_^