[eurasiantiger]

If they can monitor network connections, they can see the duress connections, too.

[shawnz]

You don't need to make it take any network actions, but even if you wanted to do that you could just use TLS. It would easily blend in with all the other services that use TLS as part of their normal operation.

[o-__-o]

https://serverfault.com/questions/574405/tcpdump-server-hell...

[shawnz]

Won't be possible with ESNI, and regardless you could just use an inconspicuous domain name, for example by piggybacking on a common cloud service.