Multi-Hop VPN Services

As the threats from advanced tracking and state-sponsored surveillance continue to grow, some privacy enthusiasts are looking for more protection in the form of multi-hop VPNs. If you consider the resources being spent by surveillance agencies to de-anonymize users, choosing a VPN service that offers a higher level of anonymity is indeed a valid consideration.

A multi-hop VPN simply encrypts your connection across two or more servers (multiple hops) before exiting on to the regular internet. Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security – even if one server were to be compromised.

In this guide we will explain why people are using multi-hop VPNs and how they can help you achieve higher levels of privacy and security. The key factor when considering whether you need a multi-hop VPN is your threat model. How much privacy do you need and want for your unique situation?

Disclaimer: For the majority of users, a multi-hop VPN may be overkill and not worth the performance tradeoffs (increased latency and slower speeds). A standard (single-hop) VPN setup with strong encryption, zero leaks, and other privacy tools (secure browser, ad/tracking blocker, etc.) should be adequate.

However, for those interested in achieving higher levels of privacy and security, there are multi-hop VPNs.

Surveillance and advanced online anonymity

A multi-hop VPN is a good privacy tool against targeted monitoring and other theoretical attack vectors we will discuss below. It may also be useful for those in dangerous situations, such as journalists or political dissidents living in oppressive countries.

One key question is whether you can trust the data center where the VPN server is located.

VPN services will rent, lease, or colocate servers in data centers all over the world for their network. These servers will be fully encrypted, secured, and under control of the VPN provider, thereby preventing third-party access to sensitive user data and traffic.

What can the data center see with an encrypted VPN server?

Even with strong encryption of the VPN server, the data center (host) – or perhaps an external state surveillance agency – could potentially monitor incoming and outgoing traffic on the server.

While this may seem alarming, it would still be very difficult for the data center (or third party) to gather useful information because:

• The traffic remains securely encrypted on the VPN tunnel, which right now is considered to be unbreakable (AES-256 encryption with the OpenVPN protocol, for example).
• Correlating outgoing traffic with incoming traffic is extremely difficult. Theoretically, traffic correlation for some users may be possible through advanced statistical analysis and studying traffic patterns. However, this remains difficult, especially on a large scale, even for powerful adversaries.
• Most VPNs utilize shared IPs, with many users on a given server (and IP address) at the same time, with all traffic being mixed. (Note: this is also why you should not “roll your own VPN” that only you will be using).

Even though a standard, single-hop VPN configuration will be adequate for the vast most users, incoming/outgoing traffic correlation may still be possible – at least in theory.

Are data centers really being targeted for traffic correlation attacks?

We have no way to know for sure. In many cases when authorities wanted customer data, they simply went to the data center and physically seized the server:

• Perfect Privacy servers were seized in the Netherlands (no customer data was affected)
• ExpressVPN servers were seized in Turkey (no customer data was affected) – as pointed out in my guide on no logs VPN services

In other cases, some VPNs have cooperated with authorities and handed over user information after being pressured by law enforcement agencies. These cases related to criminal investigations being conducted by US authorities. See for example the IPVanish logs case and also the PureVPN logging example.

Multi-hop VPN cascade

The first example of a multi-hop VPN we will examine is a “cascade” – where traffic is encrypted across two or more of the VPN’s servers.

One provider offering the ability to create custom VPN cascades with up to four servers is Perfect Privacy. Here is a basic visual explanation of how that would work using a four-hop VPN cascade:

In the picture above, the user’s identity is changed at every hop and re-encrypted using OpenVPN 256-bit AES encryption (for example), before the traffic exits the VPN cascade on to the regular internet. With every hop, the new VPN server only gets the previous VPN server’s IP address/location – further obscuring and protecting the user’s true identity.

Perfect Privacy also makes some interesting points in their multi-hop VPN article:

With a cascaded connection this [traffic correlation] attack becomes much more difficult because while the ISP/eavesdroper still knows the VPN entry node of the user, it does not know on which server the traffic exits. He would need to monitor all VPN servers and take a guess at which exit node the user is using. This makes it next to impossible to successfully identify users by traffic correlation.

Also it is theoretically possible that an attacker has physical access to the VPN server in the data center. In that case he can possibly execute a de-anonymization attack on the VPN user. A cascaded connection protects against this attack vector: Since the user’s traffic is encapsulated with an additional layer of encryption for each hop in the cascade, no traffic can be read or correlated with incoming traffic.

The attacker would still see outgoing encrypted traffic to another VPN server but he cannot determine whether this is a middle or exit node. To successfully intercept and decrpyt the traffic, the attacker would need to have physical access to all hops in the cascade simultaneously. This is practically impossible if the hops are in different countries.

Using a multi-hop setup with strong encryption and other privacy tools provides you with a high level of online anonymity and security.

Double VPN

Double VPN servers are a unique feature with some services.

With a double-VPN configuration, the first server could see your originating IP address, and the second server could see your outgoing traffic, but neither server would have both your IP address and your outgoing traffic.

This setup should still offer decent performance and it will also offer a higher level of security and privacy over a single-hop setup.

There are a few VPNs offering double-hop configurations that I have tested and found to work well:

• NordVPN – $3.71 per month (with the 68% discount); based in Panama; 31 double VPN configurations (NordVPN review)
• Surfshark – $2.49 per month; based in the British Virgin Islands; 15 double-VPN server configurations (Surfshark review)
• ProtonVPN – $8.00 per month; based in Switzerland; 48 double VPN servers (ProtonVPN review)
• VPN.ac – $3.75 per month; based in Romania; 22 double VPN configurations (VPN.ac review)

Now let’s examine performance

Are double VPN servers fast?

In my testing, I have found that you can still get excellent speeds with some double-hop VPNs (but not all).

The fastest double-VPN we have tested was with NordVPN on a USA-Canada server configuration at 214 Mbps download speeds:

You can see server options and prices on the NordVPN website here.

On the opposite end of the spectrum is ProtonVPN, which delivers sluggish speeds in most performance tests. You can see examples of this in the ProtonVPN vs NordVPN comparison.

One drawback with the double-hop VPNs mentioned above is that they only offer static configurations. This means that you cannot configure your own unique multi-hop VPN using any server in the network.

Additionally, you can also create double-hop connections with VPNs that offer self-configurable server selection, which we’ll examine more below.

• Perfect Privacy – Up to four servers (plus the NeuroRouting feature)
• ZorroVPN – Up to four servers
• OVPN – Up to two servers (but the multi-hop feature is a paid add-on, as we covered in the OVPN review)
• IVPN – Up to two servers

Ok, so double VPN servers are great — but what if you want even more hops? Or perhaps you want to select custom locations for your multi-hop VPN connection.

Self-configurable multi-hop VPNs

A self-configurable multi-hop VPN allows you to individually select the servers in the VPN cascade. Here are a few VPN services offering this feature.

1. Perfect Privacy (four hops)

Perfect Privacy allows you to create self-configurable VPN cascades with up to four hops directly in the VPN client. I tested this feature out for the Perfect Privacy review with both the Windows and Mac OS clients and found everything to work well.

Here is a four-hop VPN server cascade: Frankfurt >> Copenhagen >> Calais >> Malmo

With this configuration, your true identity and IP address will be protected behind four different encrypted VPN servers.

Every website you visit will only see the server details of the last hop in the VPN cascade. You can simply enable the multi-hop configuration setting, and then dynamically add or remove VPN servers in the VPN client. The last server in the cascade will reflect your publicly-visible IPv4, IPv6, and DNS resolvers.

Perfect Privacy is also one of the few VPNs offering full IPv6 support.

2. ZorroVPN (four hops)

Another VPN that you can use for a four-hop VPN cascade is ZorroVPN.

ZorroVPN is a Belize-based provider that did well in testing for the ZorroVPN review. Aside from the higher price, the main drawback with ZorroVPN is that they do not offer any custom VPN applications. This causes a few issues:

• You will need to use third-party OpenVPN applications, such as Viscosity, Tunnelblick, or others.
• You will need to manually create the multi-hop VPN server configuration file, and then import the file into your VPN application. In other words, you can’t simply create or change a multi-hop cascade directly in the VPN app, such as with Perfect Privacy.

The other issue here is that none of these third-party applications come with built-in leak protection settings. You will need to configure a kill switch and leak protection manually for all devices.

ZorroVPN offers a decent selection of servers and good performance. See the test results in the ZorroVPN review or visit their website here for more info.

3. OVPN (two hops)

OVPN is a Swedish VPN service that offers multi-hop configurations through an add-on feature. This feature is $5 per month in addition to your regular VPN subscription. This is similar to ProtonVPN and the Secure Core option,  which is more expensive than the basic subscription tier.

You can route traffic over two hops with OVPN. OVPN also supports IPV6.

4. IVPN (two hops)

IVPN is a VPN service based in Gibraltar. It offers users the ability to route traffic over two hops, but does not support IPv6. However, IVPN does support WireGuard VPN protocol.

Like some of the others we’ve covered, IVPN prices are above-average, but it is also a fully-featured VPN with clients for all major operating systems and devices.

Dynamic multi-hop VPN configurations (NeuroRouting)

The latest development in multi-hop connections and advanced security is NeuroRouting.

This is a unique feature was officially launched in October 2017 by Perfect Privacy.

NeuroRouting is a dynamic, multi-hop configuration that allows you to simultaneously route your traffic across numerous unique/different server configurations in the network. This feature is explained more in my NeuroRouting post, but here are the main points:

• Dynamic – Your internet traffic is dynamically routed across multiple hops in the VPN server network to take the most secure route. The routing path is based on TensorFlow, an open source software for machine learning, and data remains in the network as long as possible. Being based on TensorFlow, the network continually learns the best and most secure route for a given website/server.
• Simultaneous – Each website/server you access will take a unique route. Accessing multiple different websites will give you numerous, unique multi-hop configurations and IP addresses at the same time, corresponding to the location of the website server and the last VPN server in the cascade.
• Server-side – This feature is activated server-side, meaning every time you access the VPN network, NeuroRouting will be active (unless you disable it from the member dashboard). This also means it will work on any device – from routers to Mac OS and Android. Finally, NeuroRouting works with OpenVPN (any configuration) as well as IPSec/IKEv2, which can be used natively on most operating systems.

The image above shows NeuroRouting in action, with the user connected to a VPN server in Iceland, while accessing four different websites located in different parts of the world.

You can learn more about NeuroRouting here.

Multi-hop VPN chains with different VPN providers

Ok, what if you want to add different VPN providers to the mix?

Another option is to create chains using more than one VPN provider at the same time. This is sometimes referred to as a “VPN within a VPN” or a “nested chain” of VPNs.

This is a good option for protecting users against a VPN that may be compromised, as well as a VPN server that may be compromised.

Here are a few different ways to do this:

VPN 1 on router > VPN 2 on computer/device

This is an easy setup with a VPN on a router and then using a different VPN service on your computer or device, which is connected through your VPN router. Choosing nearby servers will help minimize the performance hit with this setup.

VPN 1 on computer (host) > VPN 2 on virtual machine (VM)

This is another setup that can be run without much hassle. Simple install VirtualBox (free), install and setup the operating system within the VM, such as Linux (free), and then install and run a VPN from within the VM. This setup can also help protect you against browser fingerprinting by spoofing a different operating system from your host computer.

You can also add a router to the mix, using three different VPN services:

VPN 1 on router > VPN 2 on computer (host) > VPN 2 on virtual machine (VM)

Lastly, you could also create virtual machines within virtual machines, or daisy-chain virtual machines. (If you are new to virtual machines, there are many videos available online that explain setup and use.)

Virtual machines are a great privacy and security tool, since they allow you to create isolated environments for different purposes – also known as compartmentalization. Within VirtualBox, you can create numerous different VMs using various operating systems, such as Linux, which you can install for free. This also allows you to easily create new browser fingerprints with each additional VM, while also concealing your host machine’s fingerprint.

Use Linux – When setting up VMs, I’d recommend running a Linux OS, for the following reasons:

• Free
• Open source
• More private and secure than Windows or Mac OS

Ubuntu is user-friendly and easy to get going in minutes.

Note: Be sure to disable WebGL in Firefox with all your VMs (see the instructions in the Firefox privacy guide using about:config settings). This will prevent graphics fingerprinting since all the VMs will be using the same graphics driver.

We will be covering the topic of nested VPN chains more in the Advanced Privacy Guides series.

Mirimir has also written some guides on setting up nested VPN chains:

• How to create dynamic nested VPN chains.
• A series of guides about using nested VPN chains and Tor.

Conclusion on multi-hop VPNs

A multi-hop VPN configuration is an excellent way to achieve a higher level of privacy and security while also distributing trust across data centers and adding extra layers of encryption.

However, you should also understand that even when routing traffic over numerous hops, you are still placing all your trust in a single VPN service. Therefore this won’t protect you if the VPN itself is compromised. To get around this issue and further distribute trust, you can use nested VPN chains, with we will discuss more in future advanced privacy guides.

One of the simplest methods for using a multi-hop VPN on all devices would be to utilize the NeuroRouting feature from Perfect Privacy. Simply activate NeuroRouting from the member dashboard, and it will automatically be applied to all devices that connect to the VPN, with any protocol, any app, and any device. Because it is a server-side feature, rather than controlled within the client, it will simply work with everything that connects to the VPN.

Here is a recap of the multi-hop VPNs we’ve covered in this guide.

Double-hop VPN services (fixed locations, not self-configurable)

1. NordVPN – $3.71 per month (with the 68% discount); based in Panama; 31 double-hop configurations (NordVPN review)
2. Surfshark – $2.49 per month; based in the British Virgin Islands; 15 double-VPN server configurations (Surfshark review)
3. ProtonVPN – $8.00 per month; based in Switzerland; 48 double-hop servers (ProtonVPN review)
4. VPN.ac – $3.75 per month; based in Romania; 22 double-hop configurations (VPN.ac review)

Self-configurable VPN services:

1. Perfect Privacy – Up to four servers, plus the NeuroRouting feature; $8.95 per month; based in Switzerland (Perfect Privacy review)
2. ZorroVPN – Up to four servers; $10 per month; based in Belize (ZorroVPN review)
3. OVPN – Up to two servers; $7.00 per month (but the multi-hop feature is a paid add-on for $5.00/month); based in Sweden
4. IVPN – Up to two servers; $8.33 per month; based in Gibraltar