xabadak

No worries, and thanks for providing a response nonetheless. I'll look into your suggestion when I have the time. The official Wireguard website also had some guide on network namespaces here but afaik it didn't explain how to set it up persistently

Yeah TOR is an example of a mixnet. WHat I was talking about was a combination of your Scenario A and Scenario B, where you have a mixnet where everybody's traffic goes through multiple proxies, and many people are using each proxy, and you have padding and timing added to make sure traffic flows are consistent. As far as trusting nodes, you have to do that regardless of your set up. If you don't use any VPN, you have to trust your ISP. If you use a VPN like Mullvad, you have to trust Mullvad. If you use a mixnet, you have to trust that all your chosen proxies aren't colluding. So like you said, it's up to your own judgement and threat model.

Hypothetically, what if everybody in the world were using mixnets to obfuscate destination/origin, and then mullvad's DAITA to obfuscate traffic timing and size. Would netflow analysis be able to defeat that?

It all depends on how much you trust the devices on your LAN. So your ISP can't do anything unless they own and control your router, since that is on your LAN. So one concern might be if you connect your PC to coffee shop wifi, since all other devices in the shop are on the same LAN, not to mention the coffee shop owns the wifi router and can also perform the attack. Another concern might be if a family member in your house has a device that got hacked, then all devices in your house are vulnerable.

I think you both are talking past each other. You said "But if nobody else is using those same endpoints." but @[email protected] said "There’s plenty of people who are going to be renting VPSes and will have their traffic originate from the same IP range as mine". Reading this thread, it seems like you both have different network setups in mind.

Do you know how to make it so all the host's traffic is sent through the VPN namespace? I couldn't figure out how to do this so I ended up just writing my own firewall. Network namespaces seems like a better solution.

I saw that but unfortunately it doesn't detail how to set it up persistently on every boot. And I also haven't seen anybody using this method, probably because of the lack of tooling around it. For example afaik the official Mullvad client on linux just uses a firewall.