As the threats from advanced tracking and state-sponsored surveillance continue to grow, some privacy enthusiasts are looking for more protection in the form of multi-hop VPNs. If you consider the resources being spent by surveillance agencies to de-anonymize users, choosing a VPN service that offers a higher level of anonymity is indeed a valid consideration.
A multi-hop VPN simply encrypts your connection across two or more servers (multiple hops) before exiting onto the regular internet. Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security – even if one server were to be compromised.
In this guide we will explain why people are using multi-hop VPNs and how they can help you achieve the highest levels of privacy and security. We will examine two different types of multi-hop VPN setups:
- Multi-hop configuration using one primary VPN service and two or more VPN servers (often called a “cascade”).
- Multi-hop configuration involving two or more different VPN services and different locations (sometimes called a “nested chain”).
They key factor when considering whether you need a multi-hop VPN is your threat model. How much privacy do you need and want given your unique situation?
Disclaimer: For the vast majority of users, a multi-hop VPN is neither necessary nor worth the performance tradeoffs (increased latency and slower speeds). A standard (single-hop) VPN setup with strong OpenVPN encryption, zero leaks, and other privacy tools (secure browser, ad blocker, etc.) should give you more than enough privacy and security.
However, for the truly paranoid, and for those seeking the highest levels of online anonymity, there are multi-hop VPNs…
Surveillance and advanced online anonymity
A multi-hop VPN is a good privacy tool against targeted monitoring and other theoretical attack vectors we will discuss below. It may also be useful for those in dangerous situations, such as journalists or political dissidents living in oppressive countries.
One key question is whether you can trust the data center where the VPN server is located.
VPN services will rent or lease servers from data centers all over the world for their network. These servers will be fully encrypted, secured, and under control of the VPN provider, thereby preventing third-party access to sensitive user data and traffic.
What can the data center see with an encrypted VPN server?
Even with strong encryption of the VPN server, the data center (host) – or perhaps an external state surveillance agency – could potentially monitor incoming and outgoing traffic on the server.
While this may seem alarming, it would still be very difficult for the data center (or third party) to gather useful information because:
- The traffic remains encrypted on the VPN tunnel, which right now is considered to be unbreakable (256-bit OpenVPN).
- Correlating outgoing traffic with incoming traffic is extremely difficult. (Theoretically, traffic correlation for some users may be possible through advanced statistical analysis and studying traffic patterns, although this remains extremely difficult.)
- Most VPNs utilize shared IPs, with many users on a given server at the same time, with all traffic being mixed. (Note: this is also why you should not “roll your own VPN” that only you will be using).
Even though a standard, single-hop VPN configuration will be adequate for the vast majority of users, incoming/outgoing traffic correlation may still be possible – at least in theory.
Are data centers really being targeted for traffic correlation attacks?
We have no way to know for sure. In many cases when authorities wanted customer data, they simply went to the data center and physically seized the server:
- Perfect Privacy servers were seized in the Netherlands (no customer data was affected)
- ExpressVPN servers were seized in Turkey (no customer data was affected) – also discussed in the ExpressVPN review
Multi-hop VPN cascade
The first example of a multi-hop VPN we will examine is a “cascade” – where traffic is encrypted across two or more of the VPN’s servers.
One provider offering the ability to create custom VPN cascades with up to four servers is Perfect Privacy (review). Here is a basic visual explanation of how that would work using a four-hop VPN cascade:
In the picture above, the user’s identity is changed at every hop and re-encrypted using OpenVPN 256-bit encryption (for example), before the traffic exits the VPN cascade onto the regular internet. With every hop, the new VPN server only gets the previous VPN server’s IP address/location – further obscuring and protecting the user’s true identity.
Perfect Privacy also makes some interesting points in their multi-hop VPN article:
With a cascaded connection this [traffic correlation] attack becomes much more difficult because while the ISP/eavesdroper still knows the VPN entry node of the user, it does not know on which server the traffic exits. He would need to monitor all VPN servers and take a guess at which exit node the user is using. This makes it next to impossible to successfully identify users by traffic correlation.
Also it is theoretically possible that an attacker has physical access to the VPN server in the data center. In that case he can possibly execute a de-anonymization attack on the VPN user. A cascaded connection protects against this attack vector: Since the user’s traffic is encapsulated with an additional layer of encryption for each hop in the cascade, no traffic can be read or correlated with incoming traffic.
The attacker would still see outgoing encrypted traffic to another VPN server but he cannot determine whether this is a middle or exit node. To successfully intercept and decrpyt the traffic, the attacker would need to have physical access to all hops in the cascade simultaneously. This is practically impossible if the hops are in different countries.
Double-hop VPN servers are a unique feature with some VPN providers.
With a double-hop VPN configuration, the first server could see your originating IP address, and the second server could see your outgoing traffic, but neither server would have both your IP address and your outgoing traffic.
This setup should still offer decent performance and it will also offer a higher level of security and privacy over a single-hop setup.
There are a few VPNs offering double-hop configurations that I have tested and found to work well:
- VPN.ac – $4.80 per month; based in Romania; 18 double-hop configurations (VPN.ac review)
- NordVPN – $3.99 per month (with the 66% discount); based in Panama; 16 double-hop configurations (NordVPN review)
- VPNArea – $4.92 per month; based in Bulgaria; but only two double-hop configurations currently available (VPNArea review)
Performance: In my testing I have found that you can still get excellent speeds with some double-hop VPNs. Below is an example where I hit over 81 Mbps download speed with VPN.ac on their Germany > Canada connection. My baseline (non-VPN) speed was 100 Mbps (tested from Germany).
One drawback with the double-hop VPNs mentioned above is that they only offer static configurations. This means that you cannot configure your own unique multi-hop VPN using any server in the network.
Browser extension + VPN client with VPN.ac
Another useful privacy tool is a secure proxy browser extension, which can be combined with a VPN app on the operating system. VPN.ac offers a secure proxy browser extension for Firefox, Chrome, and Opera browsers. The extension encrypts all traffic within the browser using TLS (HTTPS) and is fast and light weight.
In the image below, you can see I’m connected to a VPN server in Sweden with VPN.ac’s desktop application, while also connected to a server in New York through the browser proxy extension. Notice the excellent speeds, despite the double encryption and longer distance (from my location in Europe):
Just like with their VPN application, VPN.ac also offers double-hop proxy locations for the browser. This means you could be running a double-hop VPN server connection on the desktop VPN app, and also a separate double-hop connection through the browser. Since the browser extension works independently (unlike most other VPN browser extensions), it can be combined with a different VPN service running on the desktop application.
Self-configurable multi-hop VPNs
A self-configurable multi-hop VPN allows you to individually select the servers in the VPN cascade.
Perfect Privacy is the only provider that allows you to create a self-configurable VPN cascades with up to four hops directly in the VPN client. I tested this feature out for the Perfect Privacy review with both the Windows and Mac OS clients and found everything to work well.
Here is a four-hop VPN server cascade: Frankfurt >> Copenhagen >> Calais >> Malmo
With this configuration, your true identity and IP address will be protected behind four different encrypted VPN servers.
Every website you visit will only see the server details of the last hop in the VPN cascade. You can simply enable the multi-hop configuration setting, and then dynamically add or remove VPN servers in the VPN client. Here is a leak test demonstrating this:
You can also see above that Perfect Privacy is providing me with both an IPv4 and IPv6 address – they are one of the few VPNs offering full IPv6 support.
I also tested this four-hop configuration for speed and got 25 Mbps download (on a 100 Mbps connection). This isn’t too bad considering the higher latency and traffic being re-encrypted across all four hops. (A double-hop configuration with nearby servers would have been faster.)
Note: With Perfect Privacy, you can use self-configurable multi-hop cascades with:
- Windows VPN Manager app
- Linux VPN Manager app
- Mac OS app
- NeuroRouting feature (explained below)
Another option for a four-hop VPN cascade is with ZorroVPN.
ZorroVPN is a Belize-based provider that did well in testing for the ZorroVPN review. Aside from the higher price, the main drawback with ZorroVPN is that they do not offer any custom VPN applications. This causes a few issues:
- You will need to use third-party OpenVPN applications, such as Viscosity, Tunnelblick, or others.
- You will need to manually create the multi-hop VPN server configuration file, and then import the file into your VPN application. In other words, you can’t simply create or change a multi-hop cascade directly in the VPN app, such as with Perfect Privacy.
The other issue here is that none of these third-party applications come with built-in leak protection settings. You will need to configure a kill switch and leak protection manually for all devices.
Dynamic multi-hop VPN configurations (NeuroRouting)
NeuroRouting is a dynamic, multi-hop configuration that allows you to simultaneously route your traffic across numerous unique/different server configurations in the network. This feature is explained more in my NeuroRouting post, but here are the main points:
- Dynamic – Your internet traffic is dynamically routed across multiple hops in the VPN server network to take the most secure route. The routing path is based on TensorFlow, an open source software for machine learning, and data remains in the network as long as possible. Being based on TensorFlow, the network continually learns the best and most secure route for a given website/server.
- Simultaneous – Each website/server you access will take a unique route. Accessing multiple different websites will give you numerous, unique multi-hop configurations and IP addresses at the same time, corresponding to the location of the website server and the last VPN server in the cascade.
- Server-side – This feature is activated server-side, meaning every time you access the VPN network, NeuroRouting will be active (unless you disable it from the member dashboard). This also means it will work on any device – from routers to Mac OS and Android. Finally, NeuroRouting works with OpenVPN (any configuration) as well as IPSec/IKEv2, which can be used natively on most operating systems with an app.
The image below shows NeuroRouting in action, with the user connected to a VPN server in Iceland, while accessing four different websites located in different parts of the world.
I also created a NeuroRouting test page, which demonstrates how you can simultaneously utilize numerous different IP addresses in the network at the same time.
You can learn more about NeuroRouting here.
Multi-hop VPN chains with different VPN providers
Another option is to create chains using more than one VPN provider at the same time. This is sometimes referred to as a “VPN within a VPN” or a “nested chain” of VPNs.
This is a good option for protecting users against a VPN that may be compromised, as well as a VPN server that may be compromised.
Here are a few different ways to do this:
VPN 1 on router > VPN 2 on computer/device
This is an easy setup with a VPN on a router and then using a different VPN service on your computer or device, which is connected through your VPN router. Choosing nearby servers will help minimize the performance hit with this setup.
VPN 1 on computer (host) > VPN 2 on virtual machine (VM)
This is another setup that can be run without much hassle. Simple install VirtualBox (free), install and setup the operating system within the VM, and then install and run a VPN from within the VM. This setup can also help protect you against browser fingerprinting by spoofing a different operating system from your host computer.
Of course, you could also create virtual machines within virtual machines, thereby adding more links onto the chain. (If you are new to virtual machines, there are many videos available online that explain setup and use.)
Virtual machines are a great privacy and security tool, since they allow you to create isolated environments for different purposes – also known as compartmentalization. Within VirtualBox, you can create numerous different VMs using various operating systems, such as Linux, which you can install for free. This also allows you to easily create new browser fingerprints with each additional VM, while also concealing your host machine’s fingerprint.
Note: Be sure to disable WebGL in Firefox with all your VMs (see the instructions in the Firefox privacy guide using about:config settings). This will prevent graphics fingerprinting since all the VMs will be using the same graphics driver.
Conclusion on multi-hop VPNs
A multi-hop VPN configuration is an excellent way to protect yourself against targeted monitoring, enhanced surveillance, and other threat scenarios. Using a multi-hop VPN will make traffic correlation attacks extremely difficult for an adversary, even if a VPN server were to be compromised.
If you are seeking the highest levels of online anonymity, you can utilize a multi-hop VPN “chain” with different providers and different locations. This can easily be done with virtual machines using the free VirtualBox software.
One of the simplest methods for using a multi-hop VPN on all devices would be to utilize the NeuroRouting feature from Perfect Privacy. Simply activate NeuroRouting from the member dashboard, and it will automatically be applied to all devices that connect to the VPN, with any protocol and any app (because it is a server-side feature, rather than an app feature).
Below are the multi-hop VPNs I’ve tested and found to perform well.
7 day money-back guarantee
Switzerland-based; up to 4 multi-hop connections (self-configurable); Tor access with all servers; no logs; advertisement and tracking blocker; NeuroRouting for all devices
7 day money-back guarantee
Belize-based; up to 4 multi-hop connections (self-configurable, but must import custom config files); Tor access with all servers; no logs; main drawback = no apps (must use third-part software)
7 day money-back guarantee
Romania-based; 18 different double-hop server configurations; connection logs (erased daily); many encryption options
(with this 66% off coupon)
30 day money-back guarantee
Panama-based; 16 different double-hop server configurations; no logs; ad-blocking
This article was revised and updated on 13 September 2018.