Naive and AmneziaWG: alternative protocols
When VLESS/Reality start getting fingerprinted, it helps to have a channel of a different nature. Naive and AmneziaWG are both non-Xray, come up as a separate service, and are handed to the client with their own config. Keep them as an emergency fallback. Enter your own data in the builder above.
This material is about engineering your own infrastructure and is educational in nature. Complying with the laws of your own jurisdiction is your responsibility.
Why you need protocols of "a different nature"
The logic is simple and proven many times over: several protocols of different natures = survivability. Reality got cut — the client has Naive or AWG, built on a completely different stack, and they don't fall under the same wave of blocks. Both protocols below are not Xray, the panel doesn't serve them natively in a subscription, they come up as a separate service and are handed to the client with their own config or link. Keep them as a fallback or a premium channel for a last resort.
NaiveProxy — camouflage as ordinary Chrome
Naive uses the Chromium network stack, so its traffic is indistinguishable from ordinary Chrome browsing — the same TLS fingerprint, HTTP/2, the same reaction to active probing. Fingerprinting it is very expensive, hence the nickname "king of camouflage." The downside — a separate service on Caddy, not in the panel, and you need your own domain with a cert.
The server is Caddy built with the forwardproxy plugin (the naive fork; grab the ready-made naiveproxy/caddy binary):
cat >/etc/caddy/Caddyfile <<'EOF'
{
order forward_proxy before file_server
}
:443, your-domain.com
tls admin@your-domain.com
route {
forward_proxy {
basic_auth USER STRONG_PASSWORD
hide_ip
hide_via
probe_resistance
}
file_server { root /var/www/html }
}
EOF
systemctl reload caddy
ufw allow 443/tcpBreaking down the key parts:
probe_resistance— responds like an ordinary site to a "poke," an active probe doesn't see the proxy.file_server { root /var/www/html }— a decoy site for everyone except the client with the correct password. Keep a plausible site there, like in selfsteal.basic_auth— the client's login and password, the same ones go into the client link.
Client: the string naive+https://USER:STRONG_PASSWORD@your-domain.com — imported into NekoBox/NekoRay, v2rayN (with naive support), Hiddify (via sing-box). Hand it out as a separate link, not through the panel subscription.
When to reach for it: top-tier camouflage under hard DPI, when Reality has been "caught" by a targeted fingerprint. Requires your own domain and cert.
AmneziaWG — obfuscated WireGuard
Ordinary WireGuard in RU is often cut by handshake signature — it has a recognizable profile. AmneziaWG (AWG) adds "junk" bytes and changes header constants, so DPI doesn't see WireGuard. Fast (the WG kernel), good on mobile.
The obfuscation parameters must match on server and client: Jc (number of junk packets), Jmin/Jmax (junk size), S1/S2 (junk in init/response), H1–H4 (custom header constants). If they diverge, the connection won't come up.
The easiest ways to stand it up:
- Self-hosted Amnezia — the Amnezia VPN installer brings up an AmneziaWG server in Docker itself and hands out the config/QR. The fastest path.
- On top of Cloudflare WARP (free) — AmneziaWG config generators (the site
warp2.llimonix.pwor the bot@warp_generator_bot) hand out a ready.conf, which you import into the AmneziaWG / Amnezia VPN client. - A manual server — the
amneziawg-tools/awgpackage (a wireguard-tools fork): the config is like an ordinary WG one plus theJc/Jmin/Jmax/S1/S2/H1..H4lines.
Client: the AmneziaWG app (iOS/Android/desktop) or Amnezia VPN; Hiddify can do AWG too. The config is handed over as a separate file or QR.
When to reach for it: mobile networks where both WG and VLESS get cut; a fast fallback of "a different type."
How to fold it into the service
Both are separate entry points, not part of the panel subscription. Ways to fold them in:
- A separate link or QR in the bot for the premium tier.
- An "emergency channel" you hand to clients during mass blocks, when the primary protocols are down.
The idea is the same as everywhere in this business: several different protocols keep the service alive. Reality is the foundation, Naive and AWG are a fallback of a different nature. How to build primary circumvention on Xray protocols — in the VLESS/Reality articles; here are two strong spare channels for when the main one gets caught.
Next guide 3x-ui: VLESS + Reality step by step → ↗ Article unclear or something off? Message me and I will help or fix it. @notrealvpn →