WireGuard is blocked by DPI in 10+ countries now. AmneziaWG 2.0 is a fork that makes the traffic look like random noise - DPI can’t tell it apart from normal UDP. Same crypto under the hood, negligible speed overhead.
I wrote an installer that handles the whole setup in one command on a clean Ubuntu/Debian VPS - kernel module, firewall, hardening, client configs with QR codes. Pure bash, no dependencies, runs on any $3/month box. MIT license.
Been running it from Russia where stock WireGuard stopped working mid-2025.
Referenced your comment in my top-level reply - you got the mechanism right. One thing worth adding on the statistical angle: building a baseline requires known AWG traffic to train on first. CPS (I1-I5) randomizes packet timing and cadence on top of headers, which makes even gathering that training data harder. Per-target surveillance is real but it’s a different threat model from what the tool addresses.