Hello people! correct me if I’m wrong but the VPN fast mode doesn’t have cover traffic right? Is there any way to mitigate this?
I thought about using the same entry node on many devices, hoping my ISP won’t be able to tell them apart, do you think that would work? Or is the traffic coming from different devices uniquely identifiable even if they go to the same entry node?
I kinda wish there was an option to add some noise or delays to fast mode (obviously off by default) like Mullvad and Windscribe have, that would be awesome!
Hi thanks for the questions! Fast mode doesn’t exactly use cover traffic from the mixnet mode. It uses a 2-hop tunnel-in-a-tunnel WireGuard design. Your traffic is doubly encrypted. NymVPN also uses AmneziaWG on the client, which adds decoy packets before the WireGuard handshake. This makes Fast mode much harder to detect or block via simple DPI rules, especially in censored networks.
Using the same entry node on multiple devices won’t really blur things together. If the devices are on different networks, your ISP will still see different source IPs. If they’re behind the same home NAT, the connections are still distinguishable via separate UDP source ports. No protocol trick can fully hide the fact that multiple connections exist.
As for traffic fingerprinting: in practice, ISPs reliably identifying what you’re doing inside an encrypted WireGuard tunnel via DPI is extremely hard and not known to be deployed at scale due to false positives.
That said, adding optional traffic shaping / padding to Fast mode / NOISE is something the team can (and likely will) explore in the future.
Thanks for the reply, very informative reading, and its good to know my ISP doesn’t necessarily know what I’m doing (false sense of security is bad but false sense of insecurity also is).
Just to understand this better, does this mean that my ISP can also distinguish between different apps/types of traffic inside the wireguard connection and detect separate UDP source ports? Or is this only the case for separate devices?
ISPs may be able to tell there are multiple VPN connections if there are multiple devices or multiple tunnels but can’t tell which apps are generating traffic inside the tunnel. All apps are made part of one encrypted UDP flow.
is something the team can (and likely will) explore in the future.