Skip to content
/ awg-server Public

AmneziaWG 2.0 HTTP API server for managing VPN clients. Kernel module + awg CLI, DPI obfuscation via CPS, Bearer token auth, JSON persistence. Single static binary. And ready to work with AI agents.

stealthsurf.app

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

StealthSurf-VPN/awg-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.claude
.claude
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
AGENTS.md
AGENTS.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

awg-server

HTTP API server for managing AmneziaWG 2.0 VPN clients. Uses the AmneziaWG kernel module on the host with the awg CLI tool — kernel-level performance with DPI obfuscation via CPS (Custom Protocol Signature).

Quick Install (Linux)

One-liner that installs AmneziaWG, downloads the latest awg-server binary, and gets you ready to run:

# 1. Install AmneziaWG kernel module (DKMS)
apt update && apt install -y software-properties-common linux-headers-$(uname -r)
add-apt-repository -y ppa:amnezia/ppa
apt update && apt install -y amneziawg

# 2. Install AmneziaWG tools (awg CLI)
apt install -y build-essential git
git clone https://github.com/amnezia-vpn/amneziawg-tools.git /tmp/amneziawg-tools
make -C /tmp/amneziawg-tools/src && make -C /tmp/amneziawg-tools/src install
rm -rf /tmp/amneziawg-tools

# 3. Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

# 4. Download latest awg-server
curl -fsSL https://github.com/stealthsurf-vpn/awg-server/releases/latest/download/awg-server-linux-$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') -o /usr/local/bin/awg-server
chmod +x /usr/local/bin/awg-server

# 5. Create data directory
mkdir -p /data

# 6. Create systemd service
cat > /etc/systemd/system/awg-server.service <<EOF
[Unit]
Description=AmneziaWG Server
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/awg-server
Restart=always
RestartSec=5

Environment=AWG_API_TOKEN=your-secret-token
Environment=AWG_ADDRESS=10.0.0.1/24
Environment=AWG_ENDPOINT=your.server.ip
Environment=AWG_JC=5
Environment=AWG_JMIN=50
Environment=AWG_JMAX=1000
Environment=AWG_S1=15
Environment=AWG_S2=15
Environment=AWG_H1=12345
Environment=AWG_H2=23456
Environment=AWG_H3=34567
Environment=AWG_H4=45678

[Install]
WantedBy=multi-user.target
EOF

# 7. Start and enable on boot
systemctl daemon-reload
systemctl enable --now awg-server

Check status:

systemctl status awg-server
journalctl -u awg-server -f

Prerequisites

Build

# Build for current platform
make build

# Build for all platforms (linux, darwin, windows × amd64, arm64)
make build-all

# Static analysis
make vet

# Clean build artifacts
make clean

Requires Go 1.24+. Binaries are output to dist/.

Deploy

Copy awg-server binary to the VPN server and run:

AWG_API_TOKEN=your-secret-token \
AWG_ADDRESS=10.0.0.1/24 \
AWG_ENDPOINT=your.server.ip \
AWG_JC=5 AWG_JMIN=50 AWG_JMAX=1000 \
AWG_S1=15 AWG_S2=15 \
AWG_H1=12345 AWG_H2=23456 AWG_H3=34567 AWG_H4=45678 \
./awg-server

API

All endpoints require Authorization: Bearer <AWG_API_TOKEN>.

# List clients
curl http://localhost:7777/api/clients -H "Authorization: Bearer $TOKEN"

# Create client
curl -X POST http://localhost:7777/api/clients \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"my-client-uuid"}'

# Get client config (.conf)
curl http://localhost:7777/api/clients/my-client-uuid/configuration \
  -H "Authorization: Bearer $TOKEN"

# Delete client
curl -X DELETE http://localhost:7777/api/clients/my-client-uuid \
  -H "Authorization: Bearer $TOKEN"

Configuration

Environment variables:

Variable Required Default Description
AWG_API_TOKEN yes Bearer token for API auth
AWG_ADDRESS yes Server VPN address (CIDR), e.g. 10.0.0.1/24
AWG_ENDPOINT yes Public IP/hostname for client configs
AWG_LISTEN_PORT no 51820 WireGuard UDP port
AWG_HTTP_PORT no 7777 HTTP API port
AWG_MTU no 1420 MTU value
AWG_DNS no 1.1.1.1 DNS for client configs
AWG_DATA_DIR no /data Persistence directory

AmneziaWG Obfuscation

Variable Description
AWG_JC Junk packet count
AWG_JMIN / AWG_JMAX Junk packet size range
AWG_S1 - AWG_S4 Packet padding (init, response, underload, transport)
AWG_H1 - AWG_H4 Packet headers (init, response, underload, transport)
AWG_I1 - AWG_I5 CPS signature packets (AmneziaWG 2.0), e.g. <b 0xc000000001><r 1200>

Architecture

main.go → config → awg (device, keygen) → clients (manager, storage) → api (server, handlers)
  • Kernel moduleamneziawg-linux-kernel-module on host, awg CLI for management
  • Static binaryCGO_ENABLED=0, no external Go dependencies beyond golang.org/x/crypto
  • Persistence via JSON file with atomic writes
  • IP allocation sequential from .2, freed IPs reusable
  • Auth Bearer token on all endpoints

About

AmneziaWG 2.0 HTTP API server for managing VPN clients. Kernel module + awg CLI, DPI obfuscation via CPS, Bearer token auth, JSON persistence. Single static binary. And ready to work with AI agents.

stealthsurf.app

Topics

go api api-server wireguard amneziawg amnezia stealthsurf

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Feb 28, 2026

Contributors

Languages