Title: AmneziaWG obfuscation not working under aggressive DPI (ISP blocks handshake)

[azaglubockii-alt]

Is this urgent?

None

Host OS

Linux (Ubuntu/Debian)

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

docker-compose

What is the version of Gluetun

latest

What's the problem 🤔

Description:
Hi! I'm trying to use Gluetun with a custom AmneziaWG configuration to bypass strict DPI filtering in my region (the ISP blocks standard WireGuard and RuTracker).

The Issue:
Even with AMNEZIA_J1/J2 and AMNEZIA_H1/H4 parameters set, the connection cannot be established. The logs show a constant loop of i/o timeout during healthchecks.

Technical Details:

ISP Behavior: The ISP uses DPI to drop WireGuard handshakes. The official AmneziaWG desktop app works fine with these settings, but Gluetun fails.

Logs: WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout

Current Config snippet:

YAML
- WIREGUARD_IMPLEMENTATION=userspace
- AMNEZIA_J1=1612502235
- AMNEZIA_J2=1045234255
- AMNEZIA_H1=1
- AMNEZIA_H2=2
- AMNEZIA_H3=3
- AMNEZIA_H4=4
- WIREGUARD_MTU=1280
Question:
Is the current userspace implementation in Gluetun fully supporting the AmneziaWG "Junk" and "Magic" headers for obfuscation? It seems the packets are still being identified and dropped by the ISP's DPI. Are there any specific environment variables I might be missing to make the obfuscation effective?

Share your logs (at least 10 lines)

2026-03-01T06:37:58Z INFO [vpn] starting
2026-03-01T06:37:58Z INFO [firewall] allowing VPN connection...
2026-03-01T06:37:58Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:37:58Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:04Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:38:04Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:04Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:04Z INFO [vpn] stopping
2026-03-01T06:38:04Z INFO [vpn] starting
2026-03-01T06:38:04Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:04Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:04Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:11Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:38:11Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:11Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:11Z INFO [vpn] stopping
2026-03-01T06:38:11Z INFO [vpn] starting
2026-03-01T06:38:11Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:11Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:11Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:17Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:38:17Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:17Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:17Z INFO [vpn] stopping
2026-03-01T06:38:17Z INFO [vpn] starting
2026-03-01T06:38:17Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:17Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:17Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:23Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout
2026-03-01T06:38:23Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:23Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:23Z INFO [vpn] stopping
2026-03-01T06:38:23Z INFO [vpn] starting
2026-03-01T06:38:23Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:23Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:23Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:29Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout
2026-03-01T06:38:29Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:29Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:29Z INFO [vpn] stopping
2026-03-01T06:38:29Z INFO [vpn] starting
2026-03-01T06:38:29Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:29Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:29Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:35Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:38:35Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:35Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:35Z INFO [vpn] stopping
2026-03-01T06:38:35Z INFO [vpn] starting
2026-03-01T06:38:35Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:35Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:35Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:41Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:38:41Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:41Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:41Z INFO [vpn] stopping
2026-03-01T06:38:41Z INFO [vpn] starting
2026-03-01T06:38:41Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:41Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:41Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:47Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:38:47Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:47Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:47Z INFO [vpn] stopping
2026-03-01T06:38:47Z INFO [vpn] starting
2026-03-01T06:38:47Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:47Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:47Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:38:53Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:38:53Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:38:53Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:38:53Z INFO [vpn] stopping
2026-03-01T06:38:53Z INFO [vpn] starting
2026-03-01T06:38:53Z INFO [firewall] allowing VPN connection...
2026-03-01T06:38:53Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:38:53Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:39:00Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout
2026-03-01T06:39:00Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:39:00Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:39:00Z INFO [vpn] stopping
2026-03-01T06:39:00Z INFO [vpn] starting
2026-03-01T06:39:00Z INFO [firewall] allowing VPN connection...
2026-03-01T06:39:00Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:39:00Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:39:06Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2026-03-01T06:39:06Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:39:06Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:39:06Z INFO [vpn] stopping
2026-03-01T06:39:06Z INFO [vpn] starting
2026-03-01T06:39:06Z INFO [firewall] allowing VPN connection...
2026-03-01T06:39:06Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:39:06Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-03-01T06:39:12Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: startup check: all check tries failed: parallel attempt 1/2 failed: dialing: dial tcp4: lookup cloudflare.com: i/o timeout, parallel attempt 2/2 failed: dialing: dial tcp4: lookup github.com: i/o timeout
2026-03-01T06:39:12Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2026-03-01T06:39:12Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2026-03-01T06:39:12Z INFO [vpn] stopping
2026-03-01T06:39:12Z INFO [vpn] starting
2026-03-01T06:39:12Z INFO [firewall] allowing VPN connection...
2026-03-01T06:39:12Z INFO [wireguard] Connecting to 185.204.1.206:51820
2026-03-01T06:39:12Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

Share your configuration

services:
  gluetun-final:
    image: qmcgaw/gluetun:latest
    container_name: gluetun-final
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - WIREGUARD_ENDPOINT_IP=185.204.1.206
      - WIREGUARD_ENDPOINT_PORT=51820
      - WIREGUARD_PUBLIC_KEY=REDACTED
      - WIREGUARD_PRIVATE_KEY=REDACTED
      - WIREGUARD_PRESHARED_KEY=REDACTED
      - WIREGUARD_ADDRESSES=10.0.0.2/32
      - WIREGUARD_IMPLEMENTATION=userspace
      - AMNEZIA_J1=1612502235
      - AMNEZIA_J2=1045234255
      - AMNEZIA_H1=1
      - AMNEZIA_H2=2
      - AMNEZIA_H3=3
      - AMNEZIA_H4=4
      - WIREGUARD_MTU=1280
      - DOT=off
      - DNS_ADDRESS=1.1.1.1
    restart: always

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

Not at this time, but you're in luck because #3150 is work in progress. I think you can already try it (see the PR for build instructions)

[qdm12]

Please subscribe to #2365 which this issue duplicates

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.