@trashpanda @ahf

Robust is a loaded word for WF defenses and attacks of any kind (heavily debated).

I like to think of it as Tor offering better protection than, say, plain WireGuard. It's easy for people to see attacks like website fingerprinting discussed on Tor and then be discouraged, when the alternatives are often much, much worse. If Tor/Nym/DAITA works for your circumstances, go for it!

As @ahf wrote in parallel, the Tor+VPN mixes are also controversial and complicated. It depends on so many factors, and you can come up with use cases for every combination that makes sense.

With Tor inside a VPN, say WireGuard, it's likely pretty well detected by anyone looking for it. First, you trivially detect WireGuard (packet headers), then you count the frequency of packets and observe that the distribution of packet sizes skews towards having a relationship to Tor's cell size (it'll be more choppy, over time, a pretty clear signal ... no AI needed).

If you want to hide your use of Tor (VPN or not), use anti-censorship tools (potentially within the VPN).

FWIW, I don't turn off my VPN when using Tor, but I'm also lucky enough not to have to worry about my ISP knowing when I use Tor or not as part of my threat model.

@trashpanda @ahf Hi, thanks for the ping and interest!

It isn't very easy to answer since things are a bit mixed up here and on the TorPlusVPN page.

Maybenot is a *framework* for traffic analysis defenses, meaning that what Maybenot can and cannot help with depends on what kind of defenses are running in the framework. As @ahf mentioned, what Arti can offer here is tbd as Arti relay hacking progresses further.

There is one significant deployment of Maybenot now with DAITA and Mullvad VPN, https://mullvad.net/en/vpn/daita . In DAITA, we aim to make Website Fingerprinting attacks harder, create fake activity when the VPN is not used (fake background traffic), and do some more general tweaks to WireGuard (constant-sized packets and mess with NetFlow, based on Tor's connection-level padding). Please note that DAITA is for VPN traffic, so the connections are long-lived and typically carry all traffic from a system. DAITA is also very much a work in progress, but we're shipping and iterating. To get an idea of where we're heading, stay tuned for the PDF of "Ephemeral Network-Layer Fingerprinting Defenses" at https://petsymposium.org/2026/paperlist.php soonish and see fun machine generation tooling at https://github.com/maybenot-io/maybenot (use https://github.com/maybenot-io/maybenot/tree/main/crates/maybenot-cli).

If you compare Tor and WireGuard/OpenVPN/SSH, Tor already does connection-level padding (mess with NetFlow as mentioned), chops traffic into fixed-sized cells, and creates many isolated short-lived circuits through the large and distributed Tor network. This should not be underestimated in terms of how it messes with *reliable* traffic analysis for network adversaries who want to figure out what you're doing in Tor. It's a significant bar.

Now to get closer to answering the question: would/could Maybneot + VPN/SSH make VPN/SSH fingerprinting harder? Short answer is yes, if you create machines for this purpose. I don't think Website Fingerprinting, as in the TorPlusVPN wiki is the most relevant threat here. WF is messy and rich in false positives. If the goal of the adversary here is to detect that you're using Tor within a VPN/SSH tunnel, this is more in line with all the cool work on anti-censorship, where Tor traffic is tunneled to hide the fact that Tor is used. The relevant fingerprinting attacks become, e.g., https://www.ndss-symposium.org/wp-content/uploads/2025-966-paper.pdf .

So the TL;DR: Hide using Tor? Use the cool anti-censorship tools! They are designed to make detecting Tor use difficult. Protect against someone fingerprinting what is done over Tor? Maybenot can help here in Arti in the future (DAITA helps today), but remember that Tor helps today as-is compared to regular VPN/SSH tunnels.