Can ISP distinguish/identify devices behind NAT?

Question

Let's say I have a PC and a smartphone, both connected to my home router.

Scenario #1. The PC and the smartphone have VPN client installed on each device. Both devices connect to the same VPN server using the same VPN protocol. The router itself is not configured to use VPN.

Scenario #2. The PC and the smartphone don't have any VPN client installed. Rather, the home router is a VPN gateway, which tunnels all traffic through the VPN.

A local passive eavesdropper (e.g., ISP), seeing outgoing and incoming traffic, tries to tell how many devices (behind the router) are currently generating traffic. Is this possible in each of the scenarioes?

Answer 1

If both devices have their own connection to the VPN this can probably be detected at the ISP level. While the details vary between VPN protocols it should for example be possible to detect key exchanges with multiple inside devices in case of IPSec or OpenVPN and independent TCP connections with TLS based VPN. Even if a single device has no permanent connection to the VPN endpoint (like in case of a VPN-ish thing like SOCKS) and always creates a new TCP connection it might be possible to detect different devices with some heuristics based on OS characteristics, TCP timestamps or similar.

If instead the starting point of the VPN is not each client system but only the shared router then counting how many systems are behind the router is much harder. One might try to do a flow analysis of the VPN traffic though and deduct from the behavior (timing, packet direction, packet sizes, traffic bursts...) if this looks like a single user surfing the web or if it looks more like multiple users in parallel. The more traffic is analyzed and the longer the time frame of the captured traffic is the more accurate this result will probably be.