The duress login shouldn't reveal that anything is happening, so they have no reason to suspect you're using such a feature at all. Thus there would be no reason to ask you to log in again, and even if they do, you can simply use the duress credentials a second time.

If they can monitor network connections, they can see the duress connections, too.

You don't need to make it take any network actions, but even if you wanted to do that you could just use TLS. It would easily blend in with all the other services that use TLS as part of their normal operation.

Won't be possible with ESNI, and regardless you could just use an inconspicuous domain name, for example by piggybacking on a common cloud service.