DPI systems can be active. They could intercept first (assuming handshake) packets and repeat them again sooner. Without the correct PRP-authentication, server won’t answer them, but repeated ones are still valid. In that case DPI will get the answer from the server, probably without noise padding and understand that it is GoVPN server’s handshake packet.
Time synchronization requirement could be used for preventing this. Client and server clocks must be synced together more or less. You enable it by specifying -timesync option with allowable time accuracy (time window width) in seconds.
Each handshake’s packet PRP authentication just XORed with current timestamp rounded to timesync number of seconds. Timesync option is higher: less clock synchronization accuracy required, but bigger time window of possible packet repeating.