WireGuard is blocked by DPI in 10+ countries now. AmneziaWG 2.0 is a fork that makes the traffic look like random noise - DPI can’t tell it apart from normal UDP. Same crypto under the hood, negligible speed overhead.
I wrote an installer that handles the whole setup in one command on a clean Ubuntu/Debian VPS - kernel module, firewall, hardening, client configs with QR codes. Pure bash, no dependencies, runs on any $3/month box. MIT license.
Been running it from Russia where stock WireGuard stopped working mid-2025.
Keep in mind that the rule of law is questionable in many of these countries. While it may bypass blocking it might not bypass detection.
if they can detect it, why couldn’t they block it?
Blocking has to happen real-time on every packet — a DPI box needs a fixed pattern to match. AWG shifts its headers per install, so there’s no stable rule to write. Statistical detection (what litchralee described above) is possible but too slow and expensive to run inline at ISP scale - you’d need to collect and analyze flow data over hours before making a call. By then the connection is long gone.
Detection can happen at a later date