As the threat of advanced tracking and state sponsored surveillance continues to increase, some privacy enthusiasts are looking to provide more protection in the form of multi-hop VPNs. If you consider the resources that the monitoring agency spends to anonymize users, then choosing a VPN service that provides a higher level of anonymity is really an effective consideration.
Multi-hop VPNs can encrypt connections across two or more servers (multi-hop) just before exiting the regular Internet. Routing your traffic through two or more servers in different jurisdictions provides a higher level of privacy and security – even if one server is compromised.
In this guide, we explain why people use multi-hop VPNs and how they can help you achieve the highest levels of privacy and security. We will study two different types of multi-hop VPN settings:
- Use a primary VPN service and a multi-hop configuration of two or more VPN servers (commonly referred to as “cascading”).
- A multi-hop configuration (sometimes called a “nested chain”) involving two or more different VPN services and different locations.
They are a key factor in your threat model when considering whether you need a multi-hop VPN . How much privacy do you need based on your unique situation?
Disclaimer : For most users, multi-hop VPN is neither necessary nor worth a performance trade-off (increasing latency and slowing down). Standard (single-hop) VPN settings with powerful OpenVPN encryption, zero-leakage and other privacy tools (secure browsers, ad blockers, etc.) should provide you with sufficient privacy and security.
However, for true paranoia, as well as those seeking the highest level of online anonymity, there is a multi-hop VPN…
Monitoring and advanced online anonymity
Multi-hop VPN is a good privacy tool for target monitoring and other theoretical attack vectors, which we will discuss below. It may also be useful to people at risk, such as journalists or dissidents living in an oppressed country.
A key question is whether you can trust the data center where the VPN server is located.
VPN services will lease or lease servers from their data centers around the world for their networks. These servers are fully encrypted, protected and controlled by the VPN provider, preventing third parties from accessing sensitive user data and traffic.
What can the data center see through the encrypted VPN server?
Even if the VPN server is strongly encrypted, the data center (host) – or possibly an external state monitoring agency – may monitor incoming and outgoing traffic on the server.
While this may seem worrying, it is still very difficult for data centers (or third parties) to collect useful information because:
- Traffic is kept encrypted on the VPN tunnel and is now considered unbreakable (256-bit OpenVPN).
- It is very difficult to correlate outgoing traffic with incoming traffic. (In theory, the traffic correlation of some users may be achieved through advanced statistical analysis and research traffic patterns, although this is still very difficult.)
- Most VPNs use shared IP, and there are many users on a given server, all traffic is mixed. (Note: This is also why you should not “scroll your own VPN”, only you will use).
Although the standard single-hop VPN configuration is sufficient for most users, incoming/outgoing traffic correlation is still possible – at least in theory.
Does the data center really become the target of traffic-related attacks?
We have no way of knowing. In many cases, when the authorities need customer data, they just go to the data center and actually take up the server:
- Seized the perfect privacy server in the Netherlands (no customer data affected)
- The ExpressVPN server was seized in Turkey (no customer data affected) – also discussed in the ExpressVPN review
In other cases, some VPNs work with the authorities and hand over user information – see for example the IPVanish and PureVPN cases.
Multi-hop VPN cascading
The first example of a multi-hop VPN we will be studying is “cascading” – where traffic is encrypted on two or more VPN servers.
One provider that provides a custom VPN cascading capable of creating up to four servers is Perfect Privacy. Here’s a basic visual explanation of how to work with a four-hop VPN cascading:
In the figure above, before the traffic exits the VPN cascade to the regular Internet, the user’s identity is changed at each hop and re-encrypted using OpenVPN 256-bit encryption (for example). For each hop, the new VPN server only gets the IP address/location of the previous VPN server – further blurring and protecting the user’s true identity.
Perfect privacy also presents some interesting points in their multi-hop VPN article:
This [flow-associated] attack becomes more difficult through cascading connections, because although ISP / eavesdroper still knows the user’s VPN ingress node, it does not know which server the traffic exits. He needs to monitor all VPN servers and guess which egress node the user is using. This makes it almost impossible to successfully identify users through traffic associations.
In theory, an attacker can also physically access a VPN server in a data center. In this case, he may perform an anonymous attack on the VPN user. Cascading connections prevent this attack vector: traffic cannot be read or associated with incoming traffic because the user’s traffic is encapsulated by an additional encryption layer for each hop in the cascade.
The attacker will still see the outgoing encrypted traffic to another VPN server, but he is not sure if this is an intermediate node or an exit node. In order to successfully intercept and delete traffic, an attacker needs to physically access all hops in the cascade at the same time. If hops are in different countries, this is actually impossible.
Use multi-hop settings with strong encryption and other privacy tools such as a secure browser to give you a high level of online anonymity and security.
The dual-hop VPN server is a unique feature of some VPN providers.
With a two-hop VPN configuration, the first server can see your original IP address, and the second server can see your outgoing traffic, but neither server will have both your IP address and outgoing traffic.
This setting should still provide good performance and will provide a higher level of security and privacy through single-hop settings.
There are some VPNs that offer a two-hop configuration, I have tested and found that they work fine:
- VPN.ac – $4.80 per month; in Romania; 18 double-hop configurations (VPN.ac reviews)
- NordVPN – $2.99 per month (75% discount); based in Panama; 16 double-hop configurations (Nordic VPN evaluation)
- VPNArea – $4.92 per month; in Bulgaria; but currently there are only two double-hop configurations (VPNArea)
Performance : In my tests, I found that you can still get great speed with some double-hop VPNs. Below is an example of how I can achieve a 81 Mbps download speed using VPN.ac on a German > Canadian connection. My baseline (non-VPN) speed is 100 Mbps (tested from Germany).
One disadvantage of the two-hop VPNs mentioned above is that they only provide static configuration. This means you can’t configure your own unique multi-hop VPN with any server on the network.
In addition, you can create a two-hop VPN configuration using Perfect Privacy and ZorroVPN – but these configurations are self-configurable, not static, as we will explain below.
Browser Extension + VPN Client with VPN.ac
Another useful privacy tool is the Security Agent browser extension, which can be used in conjunction with VPN applications on the operating system. VPN.ac provides secure proxy browser extensions for Firefox, Chrome and Opera browsers. The extension uses TLS (HTTPS) to encrypt all traffic in the browser and is fast and lightweight.
In the image below, you can see that I connected to the Swedish VPN server through the VPN.ac desktop application, and also connected to the New York server through the browser proxy extension. Please note the excellent speed despite the double encryption and longer distance (from my position in Europe):
Like the VPN application, VPN.ac also provides a double-hop proxy location for the browser. This means you can run a two-hop VPN server connection on your desktop VPN application or a separate two-hop connection through your browser. Because browser extensions work independently (unlike most other VPN browser extensions), they can be combined with different VPN services running on desktop applications.
Self-configurable multi-hop VPN
A self-configuring multi-hop VPN allows you to individually select servers in a VPN cascade.
Perfect Privacy is the only vendor that allows you to create up to four hops of self-configuring VPN cascading directly in the VPN client . I tested this feature with a Windows and Mac OS client for a perfect privacy review and found everything working.
This is a four-hop VPN server cascade: Frankfurt >> Copenhagen >> Calais >> Malmö
With this configuration, your real identity and IP address will be protected by four different encrypted VPN servers.
Each website you visit will only see the server details of the last hop in the VPN cascading. You only need to enable multi-hop configuration settings and then dynamically add or remove VPN servers in the VPN client. This is a leak test that proves this:
You can also see that Perfect Privacy has provided me with IPv4 and IPv6 addresses – one of the few VPNs that offer full IPv6 support.
I also tested the speed of this four-hop configuration and got a download speed of 25 Mbps (on a 100 Mbps connection). Considering that the higher latency and traffic in all four hops is re-encrypted, this is not too bad. (The double-hop configuration with nearby servers will be faster.)
Note : With full privacy, you can use self-configuring multi-hop cascading:
- Windows VPN Manager application
- Linux VPN Manager application
- Mac OS application
- NeuroRouting function (explained below)
ZorroVPN is another option for four-hop VPN cascading.
ZorroVPN is a Belize-based supplier that has done a good job in testing ZorroVPN evaluations. In addition to the higher price, the main disadvantage of ZorroVPN is that they do not provide any custom VPN applications. This can cause some problems:
- You will need to use a third-party OpenVPN application such as Viscosity, Tunnelblick or others.
- You will need to manually create a multi-hop VPN server profile and then import that file into the VPN application. In other words, you can’t create or change multi-hop cascading directly in a VPN application, such as using full privacy.
Another problem here is that these third-party applications do not have built-in leak protection settings. You need to manually configure termination switches and leak protection for all devices.
ZorroVPN provides good server selection and good performance. Please refer to the test results in the ZorroVPN review or visit their website >>
Dynamic multi-hop VPN configuration (NeuroRouting)
NeuroRouting is the latest development in multi-hop connectivity and advanced security. This is a unique feature officially launched by Perfect Privacy in October 2017 .
NeuroRouting is a dynamic multi-hop configuration that allows you to route your traffic across many unique/different server configurations in your network at the same time. My NeuroRouting post explains this feature in more detail, but mainly has the following:
- Dynamic – Your Internet traffic is dynamically routed across multiple hops in your VPN server network to take the most secure route. The routing path is based on TensorFlow, an open source software for machine learning that keeps data on the network for as long as possible. Based on TensorFlow, the network continuously learns the best and most secure route for a given website/server.
- At the same time – every website/server you visit uses a unique route. Accessing multiple different websites will also provide you with a variety of unique multi-hop configurations and IP addresses, corresponding to the location of the web server and the last VPN server in the cascade.
- Server Side – This feature is activated on the server side, which means that NeuroRouting will be active each time you access the VPN network (unless you disable it from the member dashboard). This also means it can run on any device – from routers to Mac OS and Android. Finally, NeuroRouting can be used with OpenVPN (any configuration) and IPSec / IKEv2, which can be used natively on most operating systems with applications.
The figure below shows the actual operation of NeuroRouting, where users connect to the Icelandic VPN server and access four different websites located in different parts of the world.
I also created a NeuroRouting test page that demonstrates how to use multiple different IP addresses simultaneously on the network.
You can find out more about NeuroRouting here.
Multi-hop VPN chain with different VPN providers
Another option is to use multiple VPN provider creation chains at the same time. This is sometimes referred to as “VPN in VPN” or “nested chain” of VPN.
This is a good choice for protecting users from potentially compromised VPNs and potentially compromised VPN servers.
Here are some different ways:
VPN 1 on the router > VPN on the computer / device 2
This is a simple setup that uses a VPN on the router and then uses a different VPN service on your computer or device that connects through a VPN router. Choosing a nearby server helps minimize the performance of this setting.
VPN on computer (host) 1 > VPN on virtual machine (VM) 2
This is another setup that can be run effortlessly. Simply install VirtualBox (free), install and set up the operating system in the VM, then install and run the VPN in the VM. This setting can also help protect you from browser fingerprinting by tricking other operating systems on the host.
Of course, you can also create virtual machines in a virtual machine to add more links to the chain. (If you’re new to virtual machines, you can get a lot of videos explaining the settings and usage online.)
Virtual machines are a great privacy and security tool because they allow you to create an isolated environment for different purposes – also known as partitioning . In VirtualBox, you can create many different VMs using a variety of operating systems (such as Linux), which you can install for free. This also allows you to easily create new browser fingerprints with each other VM while also hiding the host’s fingerprint.
Note : Make sure to disable WebGL with all VMs in Firefox (see the instructions in the Firefox Privacy Guide, using about:config settings). This will prevent graphical fingerprinting because all VMs will use the same graphics driver.
Conclusion on multi-hop VPN
Multi-hop VPN configuration is a great way to protect yourself from target monitoring and enhance monitoring and other threat scenarios. Even if the VPN server is attacked, using a multi-hop VPN can make the attacker’s traffic-associated attack very difficult.
If you are looking for the highest level of online anonymity, you can take advantage of multi-hop VPN “chains” with different providers and different locations. This can be done easily with a virtual machine using the free VirtualBox software.
One of the easiest ways to use a multi-hop VPN on all devices is to take advantage of Perfect Privacy’s NeuroRouting feature. Simply activate NeuroRouting from the Member Dashboard, which will automatically apply to all devices connected to the VPN, including any protocols and any applications (because it is a server-side feature, not an application feature).
The following is the multi-hop VPN I tested and found to work well.