one thing that bit me with LXC: anything that needs its own kernel module won't work. jails have the same limitation — shared host kernel. ran into this trying to run a VPN server (needs DKMS for a custom wireguard fork) in an LXC container — module can't load, period. ended up on a full KVM VM.
I live in a country where ISPs actively block WireGuard through DPI. Regular WireGuard gets fingerprinted and blocked within minutes. AmneziaWG (https://github.com/amnezia-vpn/amneziawg-go) is a WireGuard fork that adds protocol-level obfuscation — randomized packet headers, junk data, QUIC mimicry - making it harder for DPI to detect.
Setting up AmneziaWG manually on a server is painful: build the kernel module via DKMS, generate obfuscation parameters, write configs, set up firewall rules... I kept doing this on fresh VPS installs and finally wrote a script to automate it.
The script does the full server setup - kernel module, obfuscation params, firewall, the works. It runs as a state machine so it survives the two reboots you need for DKMS. After that you manage clients with a separate script that spits out .conf files, QR codes, and vpn:// URIs for the Amnezia app.
Pure Bash, runs on Ubuntu 24.04/25.10 and Debian 12/13. MIT licensed.
Taking into account the DKMS + reboot + config setup - the automation like this saves time and headaches.
How stable the obfuscation has been over time — do ISPs eventually catch up?
Been running 2.0 on Russian DPI for a few months - works fine. The old version (1.x) randomized packet headers, but ISPs figured out that random bytes are themselves a fingerprint and started throttling (~3 Mbit on some mobile ISPs here).
2.0 is smarter - packets mimic actual QUIC or DNS traffic instead of looking random. ISPs can't easily filter that without breaking real QUIC, which is half the internet at this point.
My first thought was be that randomized traffic would be the solution, but it makes sense that it stands out more than traffic that blends in by mimicking real stuff.
Fingers crossed they won't figure it out quickly.
I'll ask my friends if they are up to trying it, for now they are just using different VPNs.
the commitment to not requiring google play services is what makes this different from most privacy ROMs. the real question is whether the app ecosystem holds - banking apps and 2FA are always the pain point that pushes people back to stock android.
i've been tempted by NixOS for servers but keep going back to Debian. the reproducibility is amazing in theory, but when you need to debug a DKMS kernel module build at 2am on a VPS, having "just apt install" is worth a lot. maybe NixOS for dev workstations, Debian for production VPS is the right split.
The reproducibility is amazing in reality: you either just run the misbehaving server’s config in a VM (one command) or spin up a throwaway VPS and apply the config to that (one command and about 60s). One of the major benefits of reproducibility is not having to poke at production machines because that’s the one place you can manifest the issue, now you can reproduce the in-production issues in a safe environment and fix them there.
I think the most interesting use case I have seen so far was for computers that control industrial equipment where you want identical installs on potentially dozens of machines.
One thing i wish more CLI tools did: non-interactive mode. i build bash tools that have interactive prompts for first-time users, but everything the prompt asks also has a CLI flag. makes scripting and CI/CD so much simpler - you can test the exact same code path without mock stdin.
ran into this with UFW + Cloudflare on a VPS. had a rule in UFW that should have been denying a range, but Cloudflare was proxying the request so UFW saw Cloudflare's IP instead of the client's. took me way too long to figure out.
the "first match wins" vs "most specific wins" difference between systems is brutal when you're debugging at 2am.
I self-host wireguard on a VPS for this exact reason. $5/mo and i know exactly what's running. the setup takes some effort but after that it's basically zero maintenance.
The bigger issue with browser VPNs for me is that they don't help against DPI at all. I'm in a country where the ISP fingerprints wireguard traffic and drops it - a browser VPN connecting to a known mullvad endpoint gets blocked just as fast. You need protocol-level obfuscation for that, which is a completely different problem.
