v0.2.2 — AmneziaWG kernel module rebuild helper

What's new

A new top-level script rebuild-amneziawg.sh for rebuilding and reloading the AmneziaWG kernel module after a host kernel upgrade — when the previously-built .ko no longer matches the running kernel.

Workflow

docker compose stop amneziawg
sudo ./rebuild-amneziawg.sh
docker compose start amneziawg

The script builds the module in a one-shot Ubuntu container matching uname -r, validates the resulting .ko (modinfo), atomically replaces the installed module, and auto-rolls-back from a backup if modprobe fails.

Highlights

• Atomic install — extracts to ${MODULE_PATH}.new, validates with [[ -s ]] and modinfo, then mv -f. A SIGINT mid-stream cannot leave a corrupt .ko in place.
• Backups outside /lib/modules — stored in /var/backups/amneziawg-kmod/<kver>/ so depmod never has to consider them. Atomic write via .partial + mv. Rotation keeps the 3 most recent.
• Vermagic-checked rollback — on modprobe failure, the script restores the most recent backup only after verifying its vermagic matches the running kernel. A backup built for a different kernel is refused, not silently restored.
• Pre-flight checks — refuses to run while the amneziawg container is up; refuses if the module cannot be unloaded (with actionable hints); validates root, Docker, Ubuntu host, and VERSION_CODENAME.
• Configurable APT mirrors — APT_MIRROR and APT_SECURITY_MIRROR env vars override the defaults inside the builder container.

Other changes

• lib/common.sh gains log_warn.
• README.md and README.ru.md document the kernel-upgrade workflow under Troubleshooting.

Full Changelog: v0.2.1...v0.2.2

v0.2.1 — Per-user Xray upstream chaining

What's new

Two new scripts under xray/ enable forwarding a specific user's traffic to another Xray server (proxy chaining), while other users continue to exit locally. AmneziaWG is unaffected.

                          ┌─▶ Internet  (other users exit here)
this server ─VLESS/REALITY┤
                          └─▶ upstream Xray ─▶ Internet  (chained user exits here)

New scripts

• xray/add-upstream.sh <tag> <vless_url> — registers an upstream Xray server (parsed from the VLESS-REALITY link produced by the upstream's add-client.sh) as a vless+reality outbound. Maintains the freedom-first / blackhole-last invariant via stable sort. Rejects reserved tags direct and blocked.
• xray/set-route.sh <user> <tag|direct> — adds or replaces a routing rule for the named client. direct removes the rule so the user falls through to the local freedom outbound.

Implementation details

• Atomic config writes (tempfile + fsync + os.replace) preserving the existing file mode — a SIGINT or disk-full mid-write cannot leave a truncated config.json.
• flock held across both the JSON write and the docker compose restart, so concurrent invocations (and concurrent add-client.sh runs) serialize cleanly.
• Multi-inbound client lookup; group user: [...] rules are split correctly when one member is re-routed.
• Identifiers validated via the existing validate_client_name helper.

Documentation

README.md and README.ru.md document the new chaining workflow.

Full Changelog: v0.2.0...v0.2.1

0.2.0

Switch AmneziaWG from userspace to kernel module

AmneziaWG now runs as a kernel module (amneziawg.ko) instead of the Go-based userspace implementation (amneziawg-go), delivering better throughput and lower CPU overhead by handling encryption and tunneling entirely in kernel space.

What's new

• Kernel module build via Docker - The module is compiled inside a disposable container matching the host's Ubuntu version and kernel headers. No build tools (gcc, make, headers) are installed on the host.

Breaking changes

• Full re-deployment required. Running deploy.sh regenerates AmneziaWG and Xray configs and keys. All existing client configurations will be invalidated - clients must be re-added after upgrade.
• Docker Compose template now requires /lib/modules:/lib/modules:ro volume mount and SYS_MODULE capability. The /dev/net/tun device is no longer needed.

0.1.0

Self-hosted privacy VPN stack — AmneziaWG + Xray REALITY + dnscrypt-proxy

Highlights

• AmneziaWG — obfuscated WireGuard with random DPI-resistant parameters per deployment
• Xray REALITY — VLESS proxy on port 443, disguised as HTTPS to cloudflare.com
• dnscrypt-proxy — encrypted DNS (DNSCrypt/DoH) to Cloudflare & Google with DNSSEC
• Zero pre-built binaries — everything compiled from source in multi-stage Docker builds

What's included

• docker-install.sh — idempotent Docker + Compose installer (Ubuntu 24.04+)
• deploy.sh — one-command server bootstrap (build, keygen, start)
• add-client.sh / remove-client.sh — manage clients for both protocols at once
• cleanup.sh — full teardown (containers, images, keys, configs)
• Comprehensive README in English and Russian

Quick start

sudo ./docker-install.sh   # install Docker (skip if already installed)
sudo ./deploy.sh           # build & deploy the VPN stack
./add-client.sh myphone    # generate configs + QR codes