When VPN’s first came on the scene, it used to be that Open VPN TCP using port 443 was the best choice for hiding VPN use from your ISP, because, at least on the surface, your connection looked like a regular encrypted https connection that would blend in with all the other https connections at a public Wifi and would just look like a regular https connection coming from your house. Only if the ISP did a deep packet inspection, could they tell that you are using a VPN. So 2 questions:
Is this still true?
In present day (Dec 2025), will using Wireguard (the protocol on Nym and soon to be the only protocol on Mullvad) make it more likely that my ISP will know I’m using a VPN than if I’m using Open VPN TCP thru port 443? Or have ISPs advanced to the point that it’s impossible to hide VPN use from them?
Many ISPs seem to be using DPI that can fingerprint both OpenVPN and WireGuard. WireGuard by itself is somewhat more distinguishable than OpenVPN, from what I see online but NymVPN get around this with extra transport layers. For example, Nym offers both Anonymous Mode and QUIC Transport Mode. QUIC wraps WireGuard in additional layers that make the traffic much harder to classify. QUIC in particular helps your connection blend in with normal HTTP/3-style flows. Nym’s WireGuard implementation is also configured as WireGuard with a 2-hop tunnel-in-a-tunnel setup
2-hop: Your traffic is routed through two separate WireGuard nodes. The first node may see your IP address but has no visibility into your online activities, as all traffic is fully encrypted. The second node can see your online activity but cannot identify who you are.
Tunnel-in-a-tunnel: Traffic from your device is doubly encrypted using an “onion” encryption model. The first node decrypts only the outer layer, and the second node decrypts the final layer before sending the traffic to its destination. Traditional 2-hop WireGuard setups don’t provide this added layer of privacy, potentially revealing more information to the first node.
AmneziaWG: NymVPN incorporates AmneziaWG (client-side), adding an extra layer of protection against censorship. By introducing decoy packets before the handshake initiation message, AmneziaWG disrupts simple rules often used to detect WireGuard traffic, making it harder for censorship mechanisms to identify and block connections. This ensures not only enhanced privacy but also greater reliability in restrictive environments.
You can read more about NymVPN implementation of Wireguard in this blog post.
A few years ago, before I had fibre, I was forced to get my Internet over the mobile LTE network using a roof antenna. Long story short, the ISP had a real downer on OpenVPN over UDP and throttled me mercilessly. Switched to OpenVPN over TCP and that improved things a bit but, compared to non-encrypted traffic, it was 1/6 of what it could be. Finally, I tried OpenVPN + TCP + Tunnelblick’s XOR. It was still OpenVPN over TCP but the XOR obfuscation meant that they no longer realised what it was, so I think they then placed my traffic into a “no idea what this is” category. I got around 1/3 of the full speed, which was the probably best I ever saw with encrypted traffic. I understood their POV, because wireless bandwidth is limited, but it was a bit of a cat and mouse game to see what I coud achieve. I’m now on fibre and things are much more relaxed but still use XOR obfuscation. QUIC, on the other hand, is not obfuscation, but is a cunning disguise, so has great potential, IMO.