With all of the advancements in tracking and surveillance over the past ten years, do you think your VPN is still secure?
It is clear that surveillance agencies – from the UK to China and America – are developing advanced technology to de-anonymize users. So how do you protect yourself, when you’re not even sure how far advanced these capabilities are?
One powerful tool for maximum online anonymity is a multi-hop VPN chain (often called a cascade). This setup is basically a VPN tunnel across multiple different “hops” – or VPN servers – with each hop re-encrypting your data and providing you with a new IP address (identity).
In the picture above, the user’s identity is changed at every hop and re-encrypted using OpenVPN 256-bit encryption (for example), before the traffic exits the VPN chain onto the regular internet. With every hop, the new VPN server only gets the previous VPN server’s IP address/location – further obscuring/protecting the user’s true identity.
Using a multi-hop setup, along with strong encryption, and other privacy tools (such as a secure browser), provides you with an extremely high level of online anonymity and security.
Why use a multi-hop VPN chain?
When you connect to a VPN server, the server sees your IP address/location and where your traffic is going. That means if a server or data center were to be monitored (or the VPN itself was logging), everything you do while connected to that single VPN server could potentially be traced back to you.
This is the risk of targeted monitoring with a single VPN server setup.
Given that countries throughout the world are investing massive resources into surveillance technology every year, we should assume these capabilities are now very far advanced.
Let’s see how VPNs are keeping up with these developments.
With a double-hop VPN chain, the first server would get your originating IP address, and the second server would get your traffic, but neither server would have both your IP address and your traffic.
Using a double-hop server configuration is an excellent security and privacy measure, that should still offer good performance. There are a few VPNs offering double-hop configurations that I have tested and found to work well:
- VPN.ac – $4.80 per month; based in Romania; 18 double-hop configurations (read review)
- NordVPN – $3.29 per month (with this discount); based in Panama; 16 double-hop configurations (read review)
- VPNArea – $4.92 per month; based in Bulgaria; but only two double-hop configurations currently available (read review)
Note: in the last round of testing, VPN.ac’s double-hop configurations performed the best of all three. Here is one example of a double-hop configuration from Germany to Canada, where I still managed to get nearly 82 Mbps download (with a 100 Mbps connection).
You can still get excellent performance with a higher level of security and anonymity.
One drawback with the double-hop configurations mentioned above is that they are static. This means that you cannot configure your own multi-hop VPN chain using different servers in the network.
Self-configurable multi-hop VPNs
A self-configurable multi-hop VPN allows you to individually select the servers in the VPN chain. This means you can create new and unique VPN chains as often as you like.
Perfect Privacy is the only provider that allows you to create a self-configurable VPN chain with up to four hops. I thoroughly tested this feature out for the Perfect Privacy review and found it to work quite well with the Windows VPN Manager application.
Four hop VPN server chain: Frankfurt >> Copenhagen >> Calais >> Malmo
With this configuration, your true identity and IP address will be protected behind four different encrypted VPN servers.
Every website you visit will only see the server details of the last hop in the VPN chain. You can simply enable the multi-hop configuration setting, and then dynamically add or remove VPN servers to the chain, directly in the application.
Here is a leak test demonstrating this:
I also tested this four-hop configuration for speed and got 25 Mbps download (on a 100 Mbps connection). This is excellent considering the higher latency and traffic being re-encrypted at all four hops.
This is another example showing how you can still achieve decent performance while also achieving a high level of anonymity and security.
Note: With Perfect Privacy, you can use self-configurable multi-hop chains with:
- Windows VPN Manager app
- Linux VPN Manager app
- Mac OS app (BETA)
- NeuroRouting (explained below)
Another option for a four-hop VPN chain is with ZorroVPN.
ZorroVPN is a Belize-based provider that did well in testing for the review, but it has one main drawback. ZorroVPN does not offer any applications. This causes two issues:
- You will need to use third-party OpenVPN applications, such as Viscosity, Tunnelblick, or other third-party apps.
- You will need to manually create the multi-hop VPN server configuration file, and then import the file into your VPN application. In other words, you can’t simply create a multi-hop chain using the application, such as in the example above with Perfect Privacy.
The other issue here is that none of these third-party applications come with leak protection settings. You will need to configure a kill switch and leak protection manually for all devices.
Dynamic multi-hop VPN configurations (NeuroRouting)
The latest development in multi-hop connections and advanced security is NeuroRouting.
This feature was officially launched in October 2017 by Perfect Privacy after months of development and testing.
NeuroRouting is a dynamic, multi-hop configuration that allows you to simultaneously route your traffic across numerous unique/different server configurations in the network. It is explained more in my NeuroRouting post, but here are the main points:
- Dynamic – Your internet traffic is dynamically routed across multiple hops in the VPN server network to take the most secure route. The routing path is based on TensorFlow, an open source software for machine learning, and data remains in the network as long as possible. Being based on TensorFlow, the network continually learns the best and most secure route for a given website/server.
- Simultaneous – Each website/server you access will take a unique route. Accessing multiple different websites will give you numerous, unique multi-hop configurations and IP addresses at the same time, corresponding to the location of the website server and the last VPN server in the chain.
- Server-side – This feature is activated server-side, meaning every time you access the VPN network, NeuroRouting will be active (unless you disable it from the member dashboard). This also means it will work on any device – from routers to Mac OS and Android. Finally, NeuroRouting works with OpenVPN (any configuration) as well as IPSec/IKEv2 (the built-in configuration for Mac OS and iOS).
This image shows NeuroRouting in action, with the user connected to a VPN server in Iceland, while accessing four different websites located in different parts of the world.
I also created a NeuroRouting test page, which demonstrates how you can simultaneously utilize numerous different IP addresses in the network at the same time.
A multi-hop VPN configuration is the best way to protect yourself against targeted monitoring and surveillance.
VPN chains are also useful solutions for nation-wide surveillance and/or censorship. You can choose your entry point of the VPN chain to be in your specific country (such as China), but then your exit point in a separate country. This setup helps to evade restrictions and national surveillance tactics.
The simplest solution for using a multi-hop configuration on all devices is with NeuroRouting. All you need to do is enable the feature in your member dashboard, which will activate server-side in about three minutes. Then, whenever you connect to the VPN with any device, all traffic will be routed over numerous hops dynamically.
RECAP: Multi-hop VPN providers
7 day money-back guarantee
Switzerland-based; up to 4 multi-hop connections (self-configurable); Tor access with all servers; no logs; advertisement and tracking blocker; NeuroRouting for all devices
7 day money-back guarantee
Belize-based; up to 4 multi-hop connections (self-configurable, but must import custom config files); Tor access with all servers; no logs; main drawback = no apps (must use third-part software)
7 day money-back guarantee
Romania-based; 18 different double-hop server configurations; connection logs (erased daily); many encryption options
(with this discount)
30 day money-back guarantee
Panama-based; 16 different double-hop server configurations; no logs; ad-blocking