netbirdio
diff --git a/‎client/iface/configurer/amnezia_config.go‎
Lines changed: 21 additions & 0 deletions b/‎client/iface/configurer/amnezia_config.go‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎client/iface/configurer/usp.go‎
Lines changed: 58 additions & 20 deletions b/‎client/iface/configurer/usp.go‎
Lines changed: 58 additions & 20 deletions
diff --git a/‎client/iface/device/device_android.go‎
Lines changed: 2 additions & 1 deletion b/‎client/iface/device/device_android.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎client/iface/device/device_darwin.go‎
Lines changed: 10 additions & 8 deletions b/‎client/iface/device/device_darwin.go‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎client/iface/device/device_ios.go‎
Lines changed: 11 additions & 9 deletions b/‎client/iface/device/device_ios.go‎
Lines changed: 11 additions & 9 deletions
diff --git a/‎client/iface/device/device_netstack.go‎
Lines changed: 4 additions & 2 deletions b/‎client/iface/device/device_netstack.go‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎client/iface/device/device_netstack_test.go‎
Lines changed: 2 additions & 1 deletion b/‎client/iface/device/device_netstack_test.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎client/iface/device/device_usp_unix.go‎
Lines changed: 10 additions & 8 deletions b/‎client/iface/device/device_usp_unix.go‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎client/iface/device/device_windows.go‎
Lines changed: 10 additions & 8 deletions b/‎client/iface/device/device_windows.go‎
Lines changed: 10 additions & 8 deletions
@@ -0,0 +1,21 @@
+package configurer
+
+// AmneziaConfig describes AmneziaWG obfuscation parameters.
+// If nil or all fields are zero, it behaves as standard WireGuard.
+type AmneziaConfig interface {
+	IsEmpty() bool
+	GetJc() int32
+	GetJmin() int32
+	GetJmax() int32
+	GetS1() int32
+	GetS2() int32
+	GetH1() uint32
+	GetH2() uint32
+	GetH3() uint32
+	GetH4() uint32
+	GetI1() string
+	GetI2() string
+	GetI3() string
+	GetI4() string
+	GetI5() string
+}
@@ -41,15 +41,17 @@ type WGUSPConfigurer struct {
 	device           *device.Device
 	deviceName       string
 	activityRecorder *bind.ActivityRecorder
+	amneziaConfig    AmneziaConfig
 
 	uapiListener net.Listener
 }
 
-func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
+func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder, amneziaConfig AmneziaConfig) *WGUSPConfigurer {
 	wgCfg := &WGUSPConfigurer{
 		device:           device,
 		deviceName:       deviceName,
 		activityRecorder: activityRecorder,
+		amneziaConfig:    amneziaConfig,
 	}
 	wgCfg.startUAPI()
 	return wgCfg
@@ -69,7 +71,7 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 		ListenPort:   &port,
 	}
 
-	return c.device.IpcSet(toWgUserspaceString(config))
+	return c.device.IpcSet(c.toWgUserspaceString(config))
 }
 
 func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
@@ -91,7 +93,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
+	if ipcErr := c.device.IpcSet(c.toWgUserspaceString(config)); ipcErr != nil {
 		return ipcErr
 	}
 
@@ -145,7 +147,7 @@ func (c *WGUSPConfigurer) RemoveEndpointAddress(peerKey string) error {
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
+	if ipcErr := c.device.IpcSet(c.toWgUserspaceString(config)); ipcErr != nil {
 		return fmt.Errorf("failed to remove peer: %s", ipcErr)
 	}
 
@@ -160,7 +162,7 @@ func (c *WGUSPConfigurer) RemoveEndpointAddress(peerKey string) error {
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	if err := c.device.IpcSet(toWgUserspaceString(config)); err != nil {
+	if err := c.device.IpcSet(c.toWgUserspaceString(config)); err != nil {
 		return fmt.Errorf("remove endpoint address: %w", err)
 	}
 
@@ -181,7 +183,7 @@ func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	ipcErr := c.device.IpcSet(toWgUserspaceString(config))
+	ipcErr := c.device.IpcSet(c.toWgUserspaceString(config))
 
 	c.activityRecorder.Remove(peerKey)
 	return ipcErr
@@ -208,7 +210,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	return c.device.IpcSet(toWgUserspaceString(config))
+	return c.device.IpcSet(c.toWgUserspaceString(config))
 }
 
 func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
@@ -273,7 +275,7 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	return c.device.IpcSet(toWgUserspaceString(config))
+	return c.device.IpcSet(c.toWgUserspaceString(config))
 }
 
 func (c *WGUSPConfigurer) FullStats() (*Stats, error) {
@@ -399,23 +401,59 @@ func parseTransfers(ipc string) (map[string]WGStats, error) {
 	return stats, nil
 }
 
-func toWgUserspaceString(wgCfg wgtypes.Config) string {
+func (c *WGUSPConfigurer) toWgUserspaceString(wgCfg wgtypes.Config) string {
 	var sb strings.Builder
 	if wgCfg.PrivateKey != nil {
 		hexKey := hex.EncodeToString(wgCfg.PrivateKey[:])
 		sb.WriteString(fmt.Sprintf("private_key=%s\n", hexKey))
 
-		// write amneziawg settings here
-		// sorry for hardcode
-		sb.WriteString("jc=8\n")
-		sb.WriteString("jmin=50\n")
-		sb.WriteString("jmax=1000\n")
-		sb.WriteString("s1=30\n")
-		sb.WriteString("s2=32\n")
-		sb.WriteString("h1=567134433\n")
-		sb.WriteString("h2=1497534042\n")
-		sb.WriteString("h3=862417541\n")
-		sb.WriteString("h4=1695024432\n")
+		// Write AmneziaWG settings only if config is not empty
+		// If nil or empty, acts as standard WireGuard
+		if !c.amneziaConfig.IsEmpty() {
+
+			if val := c.amneziaConfig.GetJc(); val > 0 {
+				sb.WriteString(fmt.Sprintf("jc=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetJmin(); val > 0 {
+				sb.WriteString(fmt.Sprintf("jmin=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetJmax(); val > 0 {
+				sb.WriteString(fmt.Sprintf("jmax=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetS1(); val > 0 {
+				sb.WriteString(fmt.Sprintf("s1=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetS2(); val > 0 {
+				sb.WriteString(fmt.Sprintf("s2=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetH1(); val > 0 {
+				sb.WriteString(fmt.Sprintf("h1=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetH2(); val > 0 {
+				sb.WriteString(fmt.Sprintf("h2=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetH3(); val > 0 {
+				sb.WriteString(fmt.Sprintf("h3=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetH4(); val > 0 {
+				sb.WriteString(fmt.Sprintf("h4=%d\n", val))
+			}
+			if val := c.amneziaConfig.GetI1(); val != "" {
+				sb.WriteString(fmt.Sprintf("i1=%s\n", val))
+			}
+			if val := c.amneziaConfig.GetI2(); val != "" {
+				sb.WriteString(fmt.Sprintf("i2=%s\n", val))
+			}
+			if val := c.amneziaConfig.GetI3(); val != "" {
+				sb.WriteString(fmt.Sprintf("i3=%s\n", val))
+			}
+			if val := c.amneziaConfig.GetI4(); val != "" {
+				sb.WriteString(fmt.Sprintf("i4=%s\n", val))
+			}
+			if val := c.amneziaConfig.GetI5(); val != "" {
+				sb.WriteString(fmt.Sprintf("i5=%s\n", val))
+			}
+		}
 	}
 
 	if wgCfg.ListenPort != nil {
 
@@ -32,6 +32,7 @@ type WGTunDevice struct {
 	filteredDevice *FilteredDevice
 	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
+	amneziaConfig  configurer.AmneziaConfig
 }
 
 func NewTunDevice(address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
@@ -80,7 +81,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	// this helps with support for the older NetBird clients that had a hardcoded direct mode
 	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder(), t.amneziaConfig)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()
 
@@ -29,16 +29,18 @@ type TunDevice struct {
 	filteredDevice *FilteredDevice
 	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
+	amneziaConfig  AmneziaConfig
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, amneziaConfig AmneziaConfig) *TunDevice {
 	return &TunDevice{
-		name:    name,
-		address: address,
-		port:    port,
-		key:     key,
-		mtu:     mtu,
-		iceBind: iceBind,
+		name:          name,
+		address:       address,
+		port:          port,
+		key:           key,
+		mtu:           mtu,
+		iceBind:       iceBind,
+		amneziaConfig: amneziaConfig,
 	}
 }
 
@@ -62,7 +64,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder(), t.amneziaConfig)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()
 
@@ -31,17 +31,19 @@ type TunDevice struct {
 	filteredDevice *FilteredDevice
 	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
+	amneziaConfig  AmneziaConfig
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunFd int) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunFd int, amneziaConfig AmneziaConfig) *TunDevice {
 	return &TunDevice{
-		name:    name,
-		address: address,
-		port:    port,
-		key:     key,
-		mtu:     mtu,
-		iceBind: iceBind,
-		tunFd:   tunFd,
+		name:          name,
+		address:       address,
+		port:          port,
+		key:           key,
+		mtu:           mtu,
+		iceBind:       iceBind,
+		tunFd:         tunFd,
+		amneziaConfig: amneziaConfig,
 	}
 }
 
@@ -74,7 +76,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	// this helps with support for the older NetBird clients that had a hardcoded direct mode
 	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder(), t.amneziaConfig)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()
 
@@ -37,11 +37,12 @@ type TunNetstackDevice struct {
 	nsTun          *nbnetstack.NetStackTun
 	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
+	amneziaConfig  configurer.AmneziaConfig
 
 	net *netstack.Net
 }
 
-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, bind Bind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, bind Bind, listenAddress string, amneziaConfig configurer.AmneziaConfig) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -50,6 +51,7 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 		mtu:           mtu,
 		listenAddress: listenAddress,
 		bind:          bind,
+		amneziaConfig: amneziaConfig,
 	}
 }
 
@@ -78,7 +80,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder(), t.amneziaConfig)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()
 
@@ -3,6 +3,7 @@ package device
 import (
 	"testing"
 
+	"github.com/netbirdio/netbird/client/internal/amneziawg"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -15,7 +16,7 @@ func TestNewNetstackDevice(t *testing.T) {
 	wgAddress, _ := wgaddr.ParseWGAddress("1.2.3.4/24")
 
 	relayBind := bind.NewRelayBindJS()
-	nsTun := NewNetstackDevice("wtx", wgAddress, 1234, privateKey.String(), 1500, relayBind, netstack.ListenAddr())
+	nsTun := NewNetstackDevice("wtx", wgAddress, 1234, privateKey.String(), 1500, relayBind, netstack.ListenAddr(), amneziawg.AmneziaConfig{})
 
 	cfgr, err := nsTun.Create()
 	if err != nil {
 
@@ -28,18 +28,20 @@ type USPDevice struct {
 	filteredDevice *FilteredDevice
 	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
+	amneziaConfig  configurer.AmneziaConfig
 }
 
-func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *USPDevice {
+func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, amneziaConfig configurer.AmneziaConfig) *USPDevice {
 	log.Infof("using userspace bind mode")
 
 	return &USPDevice{
-		name:    name,
-		address: address,
-		port:    port,
-		key:     key,
-		mtu:     mtu,
-		iceBind: iceBind,
+		name:          name,
+		address:       address,
+		port:          port,
+		key:           key,
+		mtu:           mtu,
+		iceBind:       iceBind,
+		amneziaConfig: amneziaConfig,
 	}
 }
 
@@ -65,7 +67,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder(), t.amneziaConfig)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()
 
@@ -33,16 +33,18 @@ type TunDevice struct {
 	filteredDevice  *FilteredDevice
 	udpMux          *udpmux.UniversalUDPMuxDefault
 	configurer      WGConfigurer
+	amneziaConfig   configurer.AmneziaConfig
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, amneziaConfig configurer.AmneziaConfig) *TunDevice {
 	return &TunDevice{
-		name:    name,
-		address: address,
-		port:    port,
-		key:     key,
-		mtu:     mtu,
-		iceBind: iceBind,
+		name:          name,
+		address:       address,
+		port:          port,
+		key:           key,
+		mtu:           mtu,
+		iceBind:       iceBind,
+		amneziaConfig: amneziaConfig,
 	}
 }
 
@@ -96,7 +98,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder(), t.amneziaConfig)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()