Describe the bug
After installing an AmneziaWG (v2) server, the connection never completes the handshake. The client's AmneziaWG settings have the I1 ("Special junk 1") field populated with a value, but the server's generated config (/opt/amnezia/awg/awg0.conf) has the same I1 value commented out. Since the client sends packets using I1 obfuscation but the server doesn't expect/apply it, packets are silently dropped and the handshake never completes — no error is shown, the app just stays stuck on "Connecting...".
To Reproduce
- Add a new server in AmneziaVPN client (Windows) via SSH, using a fresh Ubuntu 22.04 VPS.
- Let the client install AmneziaWG (v2) automatically.
- Try to connect — the app stays on "Connecting..." indefinitely.
- On the server, run
docker exec -it amnezia-awg2 wg show — no "latest handshake" ever appears for the peer.
- On the server, run
docker exec -it amnezia-awg2 cat /opt/amnezia/awg/awg0.conf and compare the I1 line against the client's AmneziaWG settings screen (Settings → AmneziaWG → I1 – Special junk 1). The values match, but on the server it's commented out (# I1 = ...) while the client actively sends it.
- This was reproduced on 5 separate clean installs in a row (server rebuilt from scratch each time).
Expected behavior
The I1–I5 junk packet settings generated for the client should match what's actually enabled in the server's config. Either both should have I1 enabled, or the installer shouldn't disable it server-side after generating it client-side. The connection should establish a handshake successfully on first install without manual config editing.
Log files
tcpdump -ni any udp port <port> on the server during a connection attempt shows client packets arriving every ~5 seconds (WireGuard retry behavior) and being forwarded into the container's awg0/veth interfaces, but no reply packets are ever sent back.
Server config (awg0.conf), relevant lines (keys redacted):
PrivateKey = <REDACTED>
Address = 10.8.1.0/24
ListenPort = <SERVER_PORT>
Jc = 4
Jmin = 10
Jmax = 50
S1 = 98
S2 = 52
S3 = 33
S4 = 15
H1 = 664080018-1212358601
H2 = 1757041261-1858300431
H3 = 2044350858-2117832879
H4 = 2129609579-2138086604
# I1 = <r 2><b 0x858000010001000000000669636c6f756403636f6d0000010001c00c000100010000105a00044d583737>
# I2 =
# I3 =
# I4 =
# I5 =
[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 10.8.1.1/32
Client's I1 field (Settings → AmneziaWG) has the same value active (not commented), while I2–I5 are empty on both sides.
Screenshots
(attached separately — client's AmneziaWG settings page showing I1 populated)
Desktop (please complete the following information):
- OS: Windows
- Version: 4.8.19.0 (Jun 15 2026, 129ae44)
Server (please complete the following information):
- OS: Ubuntu 22.04.5 LTS
- Deployment: Docker-based install via AmneziaVPN client,
amnezia-awg2 container, AmneziaWG v2 protocol
Additional context
Manually clearing the I1 field in the client's AmneziaWG settings (so both client and server have I1 disabled) immediately fixed the connection — the handshake completed right after and wg show showed a valid "latest handshake". This looks like a reproducible bug in how the installer generates/syncs the I1–I5 obfuscation parameters between the client and server configs, not a one-off network issue — happened consistently across 5 clean reinstalls with different fresh VPS instances.
Describe the bug
After installing an AmneziaWG (v2) server, the connection never completes the handshake. The client's AmneziaWG settings have the I1 ("Special junk 1") field populated with a value, but the server's generated config (
/opt/amnezia/awg/awg0.conf) has the same I1 value commented out. Since the client sends packets using I1 obfuscation but the server doesn't expect/apply it, packets are silently dropped and the handshake never completes — no error is shown, the app just stays stuck on "Connecting...".To Reproduce
docker exec -it amnezia-awg2 wg show— no "latest handshake" ever appears for the peer.docker exec -it amnezia-awg2 cat /opt/amnezia/awg/awg0.confand compare theI1line against the client's AmneziaWG settings screen (Settings → AmneziaWG → I1 – Special junk 1). The values match, but on the server it's commented out (# I1 = ...) while the client actively sends it.Expected behavior
The I1–I5 junk packet settings generated for the client should match what's actually enabled in the server's config. Either both should have I1 enabled, or the installer shouldn't disable it server-side after generating it client-side. The connection should establish a handshake successfully on first install without manual config editing.
Log files
tcpdump -ni any udp port <port>on the server during a connection attempt shows client packets arriving every ~5 seconds (WireGuard retry behavior) and being forwarded into the container'sawg0/veth interfaces, but no reply packets are ever sent back.Server config (
awg0.conf), relevant lines (keys redacted):Client's I1 field (Settings → AmneziaWG) has the same value active (not commented), while I2–I5 are empty on both sides.
Screenshots
(attached separately — client's AmneziaWG settings page showing I1 populated)
Desktop (please complete the following information):
Server (please complete the following information):
amnezia-awg2container, AmneziaWG v2 protocolAdditional context
Manually clearing the I1 field in the client's AmneziaWG settings (so both client and server have I1 disabled) immediately fixed the connection — the handshake completed right after and
wg showshowed a valid "latest handshake". This looks like a reproducible bug in how the installer generates/syncs the I1–I5 obfuscation parameters between the client and server configs, not a one-off network issue — happened consistently across 5 clean reinstalls with different fresh VPS instances.