Basically yes, but "J" parameters are determining junk packets and can be different between peers.
Well I suppose one would need to know what those parameters actually mean or do, so that one could select valid parameters.............
Have you determined that ALL of them need to be changed from default, or just some combination of them or maybe just one??
Here is good explanation of how those parameters work.
Also not so long ago devs updated protocol to v1.5 allowing to imitate other protocols, for example QUIC.
How are they doing with inclusion in the Linux kernel?
Okay so Amnesis does two things
a. introduces 5 new parameters Jc through S2; and
b. modifies the usage of parameters H1 through H4
If S1 and S2 are required and contain junk data before the actual wireguard data, in both handshake and response respectively, why the need for J parameters at all??
Okay I see the difference, the J parameters are junk before the handshake and thus already disguising or interrupting DPI attempts. The internal part of the handshake & response junk packets (S1,S2) and the type messages H1-H4, replacing 1-4 are deactivated when connecting to a plain vanilla Wireguard at the other end.
In amnesia, the DPI has issues due to the junk at the front end of the traffic, and then the handshake includes more prejunk and non-standard message types replace the expected wireguard message types.
Sounds very difficult to do, injecting what is basically a different format. I suppose the functionality internally remains the same.. Doesnt touch anything after the handshake so thats good.
Okay now there is an actual IOS client even. MT should get going on this. I really like the random keep-alive, thinking of everything.
I dont really understand CPS, seems like its more communications or messages even before their J junk messages even before the handshake.
Please implement this Mikrotik!!
I can't understand why you haven't already. I was travelling recently and my roadwarrior setup was totally useless because it could not get through firewall/DPI.
This should really be implemented as soon as is possible!
The fact that the authors have ensured that the latest rendition of amnezia call it Ver2, is backwards compatible with Ver1 and is backward compatible with standard wireguard, means that its well designed and flexible. Can be setup and serve a variety of users at the same time.
Dear Mikrotik team,
In modern dark times, AmneziaWG is strongly needed tool. I'd be happy if you could implement support for this protocol.
Hi guys! Can anybody help me? I stumbled over this:
/container/add remote-image=wiktorbgu/amneziawg-mikrotik interface=AMNEZIAWG root-dir=/usb1/docker/amneziawg start-on-boot=yes logging=yes mounts=amnezia_wg_conf dns=1.1.1.1,8.8.8.8,9.9.9.9
after it i get an error that says “amneziawg-mikrotik: import error: fetch config failed: get config (https://registry.hub.docker.com/v2/wiktorbgu/amneziawg-mikrotik/blobs/sha256:e4ec8126ab71f94c9011b8f7495e0f52020c2b5621ea0741b99e535e71a71c17) failed: SSL: ssl: no trusted CA certificate found (6)”
I’ve installed the Amazon’s CA’s but nothing changed. Any ideas what to do?
With recent versions of RouterOS you can enable:
/certificate settings set builtin-trust-anchors=trusted
and you won't need to manually install the CA certificate anymore.
That’s not all. The container has installed succeffsully, and started with a command:
/container shell [find interface=AMNEZIAWG status=running]
But the next command:
/container shell [find interface=AMNEZIAWG status=running]
says: no such item. Any ideas?
Thanks, you've made my day. I had totally broken my mind trying it.
That is not container start command. Post typo?
Error message indicates find did not return any result for filters in arguments and shell command doesn't have argument item from return of find command.
Also there was change in 7.20 ROS version, there is no longer status property for containers, now there are boolean properties as flags which indicates container status: stopped, stopping, starting and running (only one can be true), so propper command for ROS 7.20+ will be in this case /container shell [find interface=AMNEZIAWG running]. Btw, filtering by running status is not necessary, shell command will fail in case when container is not running, error message will be more descriptive in such case (container not running VS no such item).
Oh, goodness me!!! NO a thousand times NO!!! Mikrotik, hold the line on this juvenile request.
The reason is that this is AFAICS a proprietary thing and if this is accepted then we end up with dozens of proprietary protocols and I really do not want the bloat on my Mikrotik router. If anyone wants this, they should put it on a machine in their network and leave the rest of us out of this.
Definitely not proprietary, open source project ( Amnezia VPN · GitHub ), its modified source is forked from Wireguard. While maintairners are offering cloud hosted solution for some fee, its usage is not restricted when self hosted.
Similar thing is already provided by ROS with separate package - ZeroTier. Nobody is complaining for bloat regarding it, one can choose if will install package or not.
We meet again, and being consistent, I cannot agree with much that you type when it comes to opinions......... not only is it open project but the latest variant V2, can be installed and can work with clients using version2, and will work with clients on the same interface using V1 and will work with clients on the same interface using Standard Wireguard. No bloat, just efficient processing and interoperability and providing many folks the ability to conduct vpn processing, in countries suppressing their freedoms.
So put it on the ultimate client machine. If the protocol can go through all of the internet, it can go though the user’s router. I am not agin the protocol, and the benefits of VPN, but I think that we are better off having Mikrotik do routers.
Like this one: https://mikrotik.com/product/rds2216?
Wondering which OS is running on it… 
Hey Optio, can I use that as a home NAS, to share photos/videos with family around the globe?
Not sure when my ISP will have a 100Gig internet though LOL
Just ask ISP to provide you ultimate internet connection. 