Tools

Tools: Latest: Self-Hosted DPI-Bypass VPN on Oracle Cloud Always Free ARM

2026-04-16 0 views admin
Tools: Latest: Self-Hosted DPI-Bypass VPN on Oracle Cloud Always Free ARM

Prerequisites

Create the Ampere A1 instance

Open UDP/51820

SSH in and run the installer

Generate a client config

What if the default still gets blocked

Gotchas

Cost check If you're reading this from a place where stock WireGuard stopped working mid-2025, you already know the problem: ISPs fingerprint the WireGuard handshake and kill the tunnel in minutes. Iran, Russia, Turkmenistan, and a handful of other countries now DPI-filter WireGuard at carrier level. AmneziaWG is a fork that randomizes the parts of the protocol DPI uses to identify it — junk packets, randomized header hashes, CPS packets that mimic QUIC or DNS. Same crypto as WireGuard underneath, roughly 5-10% CPU overhead from the obfuscation work. I wrote amneziawg-installer to handle the server side in one bash command. v5.9.0 added prebuilt ARM kernel modules, so it now runs cleanly on Oracle Cloud's Ampere A1 — which Oracle gives away on the Always Free tier (up to 4 OCPU / 24 GB RAM at no cost). The combo is the cheapest self-hosted DPI-bypass VPN you can stand up: $0/month, about 10 minutes of work. Here's the setup, end to end. In the OCI console, go to Compute → Instances → Create instance. Click Create. The instance comes up in about a minute. Copy the public IP from the instance details page — that's your VPN endpoint. OCI's default security list blocks everything inbound except TCP/22. You need to let AmneziaWG traffic in. Go to Networking → Virtual Cloud Networks → your VCN → Security Lists → Default Security List → Add Ingress Rule: Save. If you want a different VPN port, pass --port=<N> to the installer and match it here. That's the only network change you need. Total time: ~5-10 minutes on a 2-OCPU Ampere instance. At the end you get a summary with the endpoint, port, and the path to the first client config. This produces three things: Scan the QR with the AmneziaWG app on your phone and connect. curl ifconfig.me from the phone should return your Oracle IP. On a few mobile carriers — Yota, Tele2, Megafon in Moscow, and a handful of regional ISPs — the default Jc (junk packet count) is too aggressive and the handshake fails. The fix is to edit /etc/amnezia/amneziawg/awg0.conf on the server, drop Jc to 3 or 2, restart the service, and regenerate the client: Push the new config to the phone. Operator-by-operator tuning notes (which values worked where) are in ADVANCED.en.md. Total: $0. The only path to a paid setup is exceeding 10 TB egress per month, which is hard to do as a personal VPN. If you hit a carrier-specific issue, open an issue on the installer repo with the carrier name and region — those reports are how we got the mobile fixes in the 5.8.x branch. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ ssh ubuntu@<your-public-ip> -weight: 600;">sudo -i -weight: 500;">wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/v5.9.0/install_amneziawg_en.sh chmod +x install_amneziawg_en.sh ./install_amneziawg_en.sh --yes ssh ubuntu@<your-public-ip> -weight: 600;">sudo -i -weight: 500;">wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/v5.9.0/install_amneziawg_en.sh chmod +x install_amneziawg_en.sh ./install_amneziawg_en.sh --yes ssh ubuntu@<your-public-ip> -weight: 600;">sudo -i -weight: 500;">wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/v5.9.0/install_amneziawg_en.sh chmod +x install_amneziawg_en.sh ./install_amneziawg_en.sh --yes /root/awg/manage_amneziawg.sh add phone /root/awg/manage_amneziawg.sh add phone /root/awg/manage_amneziawg.sh add phone -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart awg-quick@awg0 /root/awg/manage_amneziawg.sh regen phone -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart awg-quick@awg0 /root/awg/manage_amneziawg.sh regen phone -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart awg-quick@awg0 /root/awg/manage_amneziawg.sh regen phone - Oracle Cloud account with Always Free tier enabled. Card is required for ID verification; you're not charged as long as you stay within free limits. - An SSH key pair. ssh-keygen -t ed25519 on your laptop if you don't have one. - The AmneziaWG client on your phone or desktop: iOS, Android, or the full Amnezia VPN client with vpn:// URI import on Windows/macOS/Linux. - Name: awg-vpn (or whatever you want). - Image: Canonical Ubuntu 24.04. The installer also supports 25.10, Debian 12 and 13, but 24.04 LTS is the least surprising. - Shape: VM.Standard.A1.Flex (Ampere ARM). Start with 2 OCPUs and 12 GB RAM. The free limit is 4/24, but Oracle has been aggressively reclaiming oversized idle instances since 2024. A 2/12 box has been stable for me for months. - Networking: create a new VCN if you don't have one, and assign a public IPv4. - SSH keys: paste the content of your ~/.ssh/id_ed25519.pub. - Source CIDR: 0.0.0.0/0 - IP Protocol: UDP - Destination Port Range: 51820 - OS check, base packages, kernel sysctl tweaks. The box reboots. - SSH back in and re-run the same script. On ARM it downloads a prebuilt .deb of the kernel module matching your running kernel. If your kernel is newer than the latest prebuilt, it falls back to DKMS automatically (slower, still works). - Second reboot. SSH back. One more re-run. Done. - /root/awg/clients/phone/phone.conf — the plain .conf file - A QR code printed to the terminal for scanning with the AmneziaWG mobile app - /root/awg/phone.vpnuri — a vpn:// URI for one-click import into the desktop Amnezia VPN client - Oracle reclaim policy. If your Ampere instance idles near 0% CPU for long stretches, OCI may flag it as unused and reclaim it. Running an active VPN is usually enough activity. If you're not using it much, a cron job like stress-ng --cpu 1 --timeout 60 a couple of times a week keeps the instance visible. - Kernel updates. When Ubuntu ships a new kernel, the AmneziaWG module rebuilds via DKMS on the next reboot — no manual steps, but if you had a prebuilt .deb match before, you may fall back to DKMS until the installer ships a newer matching module. - Don't use the stock WireGuard client. It silently ignores Jc, S1-S4, H1-H4, and I1-I5 — you'll connect, but in plain-WG mode, which is the thing DPI blocks. - IPv6. The installer disables host IPv6 by default on a VPN box. Pass --allow-ipv6 to keep it on. - Detection vs. blocking. AmneziaWG defeats rule-based DPI in real time. Sustained statistical analysis can probably still fingerprint obfuscated traffic given enough samples — that's a per-target surveillance cost model, not an ISP-level blocking model. For getting around the ISP blocking that's actually happening in Russia and Iran right now, per--weight: 500;">install randomization is what matters. - Oracle Always Free ARM: $0 for up to 4 OCPU / 24 GB RAM (or 2/12 as I recommend above) - AmneziaWG server: MIT, FOSS - amneziawg-installer: MIT, FOSS - Egress: 10 TB/month free on OCI - Installer: github.com/bivlked/amneziawg-installer (v5.9.0 is the ARM-support release) - AmneziaWG protocol: docs.amnezia.org/documentation/amnezia-wg - Upstream reference implementation: github.com/amnezia-vpn/amneziawg-go

🏷️ Tags

toolsutilitiessecurity toolslatesthostedbypassoraclecloudalways

More from Tools

Tools: Code Review Tools in 2025: What is Actually Useful vs What is Hype AI

Tools: Code Review Tools in 2025: What is Actually Useful vs What is Hype AI

2026-04-16 0
Tools: Essential Guide: Master Ansible Automation: Hands-on Labs for Shell, Script, and Apt Modules

Tools: Essential Guide: Master Ansible Automation: Hands-on Labs for Shell, Script, and Apt Modules

2026-04-16 0
Tools: Deploying to k8s with Terraform using GH Actions (2026)

Tools: Deploying to k8s with Terraform using GH Actions (2026)

2026-04-16 0
Tools: Update: Stop Using .env Files for Docker Secrets — Try This Instead

Tools: Update: Stop Using .env Files for Docker Secrets — Try This Instead

2026-04-16 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views