As the threats from advanced tracking and state-sponsored surveillance continue to grow, some privacy enthusiasts are looking for more protection in the form of multi-hop VPNs. If you consider the resources being spent by surveillance agencies to de-anonymize users, choosing a VPN service that offers a higher level of anonymity is indeed a valid consideration.
A multi-hop VPN simply encrypts your connection across two or more servers (multiple hops) before exiting on to the regular internet. Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security – even if one server were to be compromised.
In this guide we will explain why people are using multi-hop VPNs and how they can help you achieve higher levels of privacy and security. The key factor when considering whether you need a multi-hop VPN is your threat model. How much privacy do you need and want for your unique situation?
Disclaimer: For the majority of users, a multi-hop VPN may be overkill and not worth the performance tradeoffs (increased latency and slower speeds). A standard (single-hop) VPN setup with strong OpenVPN encryption, zero leaks, and other privacy tools (secure browser, ad/tracking blocker, etc.) should be adequate.
However, for those interested in achieving higher levels of privacy and security, there are multi-hop VPNs.
Surveillance and advanced online anonymity
A multi-hop VPN is a good privacy tool against targeted monitoring and other theoretical attack vectors we will discuss below. It may also be useful for those in dangerous situations, such as journalists or political dissidents living in oppressive countries.
One key question is whether you can trust the data center where the VPN server is located.
VPN services will rent, lease, or colocate servers in data centers all over the world for their network. These servers will be fully encrypted, secured, and under control of the VPN provider, thereby preventing third-party access to sensitive user data and traffic.
What can the data center see with an encrypted VPN server?
Even with strong encryption of the VPN server, the data center (host) – or perhaps an external state surveillance agency – could potentially monitor incoming and outgoing traffic on the server.
While this may seem alarming, it would still be very difficult for the data center (or third party) to gather useful information because:
- The traffic remains securely encrypted on the VPN tunnel, which right now is considered to be unbreakable (AES-256 encryption with the OpenVPN protocol, for example).
- Correlating outgoing traffic with incoming traffic is extremely difficult. Theoretically, traffic correlation for some users may be possible through advanced statistical analysis and studying traffic patterns. However, this remains difficult, especially on a large scale, even for powerful adversaries.
- Most VPNs utilize shared IPs, with many users on a given server (and IP address) at the same time, with all traffic being mixed. (Note: this is also why you should not “roll your own VPN” that only you will be using).
Even though a standard, single-hop VPN configuration will be adequate for the vast most users, incoming/outgoing traffic correlation may still be possible – at least in theory.
Are data centers really being targeted for traffic correlation attacks?
We have no way to know for sure. In many cases when authorities wanted customer data, they simply went to the data center and physically seized the server:
- Perfect Privacy servers were seized in the Netherlands (no customer data was affected)
- ExpressVPN servers were seized in Turkey (no customer data was affected) – as pointed out in my guide on no logs VPN services
In other cases, some VPNs have cooperated with authorities and handed over user information after being pressured by law enforcement agencies. These cases related to criminal investigations being conducted by US authorities. See for example the IPVanish logs case and also the PureVPN logging example.
Multi-hop VPN cascade
The first example of a multi-hop VPN we will examine is a “cascade” – where traffic is encrypted across two or more of the VPN’s servers.
One provider offering the ability to create custom VPN cascades with up to four servers is Perfect Privacy. Here is a basic visual explanation of how that would work using a four-hop VPN cascade:
In the picture above, the user’s identity is changed at every hop and re-encrypted using OpenVPN 256-bit AES encryption (for example), before the traffic exits the VPN cascade on to the regular internet. With every hop, the new VPN server only gets the previous VPN server’s IP address/location – further obscuring and protecting the user’s true identity.
Perfect Privacy also makes some interesting points in their multi-hop VPN article:
With a cascaded connection this [traffic correlation] attack becomes much more difficult because while the ISP/eavesdroper still knows the VPN entry node of the user, it does not know on which server the traffic exits. He would need to monitor all VPN servers and take a guess at which exit node the user is using. This makes it next to impossible to successfully identify users by traffic correlation.
Also it is theoretically possible that an attacker has physical access to the VPN server in the data center. In that case he can possibly execute a de-anonymization attack on the VPN user. A cascaded connection protects against this attack vector: Since the user’s traffic is encapsulated with an additional layer of encryption for each hop in the cascade, no traffic can be read or correlated with incoming traffic.
The attacker would still see outgoing encrypted traffic to another VPN server but he cannot determine whether this is a middle or exit node. To successfully intercept and decrpyt the traffic, the attacker would need to have physical access to all hops in the cascade simultaneously. This is practically impossible if the hops are in different countries.
Using a multi-hop setup with strong encryption and other privacy tools provides you with a high level of online anonymity and security.
Double-hop VPNs
Double-hop VPN servers are a unique feature with some VPN providers.
With a double-hop VPN configuration, the first server could see your originating IP address, and the second server could see your outgoing traffic, but neither server would have both your IP address and your outgoing traffic.
This setup should still offer decent performance and it will also offer a higher level of security and privacy over a single-hop setup.
There are a few VPNs offering double-hop configurations that I have tested and found to work well:
- NordVPN – $3.71 per month (with the 68% discount); based in Panama; 31 double-hop configurations (NordVPN review)
- ProtonVPN – $8.00 per month; based in Switzerland; 48 double-hop servers (ProtonVPN review)
- VPN.ac – $3.75 per month; based in Romania; 22 double-hop configurations (VPN.ac review)
Performance: In my testing, I have found that you can still get excellent speeds with some double-hop VPNs. Below is an example where I hit over 116 Mbps download speed with NordVPN on the Switzerland > Sweden connection. My baseline (non-VPN) speed was around 155 Mbps (tested from Germany).
You can see server options and prices on the NordVPN website.
One drawback with the double-hop VPNs mentioned above is that they only offer static configurations. This means that you cannot configure your own unique multi-hop VPN using any server in the network.
Additionally, you can also create double-hop connections with VPNs that offer self-configurable server selection, which we’ll examine more below.
- Perfect Privacy – Up to four servers (plus the NeuroRouting feature)
- ZorroVPN – Up to four servers
- OVPN – Up to two servers (but the multi-hop feature is a paid add-on, as we covered in the OVPN review)
- IVPN – Up to two servers
- Insorg – Up to five servers
Browser proxy extension + VPN client with VPN.ac
Another useful privacy tool is a secure proxy browser extension, which can be combined with a VPN client on the operating system. VPN.ac offers a secure proxy browser extension for Firefox, Chrome, and Opera browsers. The extension encrypts all traffic within the browser using TLS (HTTPS) and is fast and lightweight.
In the image below, you can see I’m connected to a VPN server in Sweden with VPN.ac’s desktop application, while also connected to a server in New York through the browser proxy extension.
Just like with their VPN application, VPN.ac also offers double-hop proxy locations for the browser. This means you could be running a double-hop VPN server connection on the desktop VPN client, and also a separate double-hop connection through the browser. Since the browser extension works independently (unlike most other VPN browser extensions), it can be combined with a different VPN service running on the desktop client.
Self-configurable multi-hop VPNs
A self-configurable multi-hop VPN allows you to individually select the servers in the VPN cascade. Here are a few VPN services offering this feature.
1. Perfect Privacy (four hops)
Perfect Privacy allows you to create self-configurable VPN cascades with up to four hops directly in the VPN client. I tested this feature out for the Perfect Privacy review with both the Windows and Mac OS clients and found everything to work well.
Here is a four-hop VPN server cascade: Frankfurt >> Copenhagen >> Calais >> Malmo
With this configuration, your true identity and IP address will be protected behind four different encrypted VPN servers.
Every website you visit will only see the server details of the last hop in the VPN cascade. You can simply enable the multi-hop configuration setting, and then dynamically add or remove VPN servers in the VPN client. The last server in the cascade will reflect your publicly-visible IPv4, IPv6, and DNS resolvers.
You can also see above that Perfect Privacy is providing me with both an IPv4 and IPv6 address – they are one of the few VPNs offering full IPv6 support.
2. ZorroVPN (four hops)
Another option I’ve for a four-hop VPN cascade is with ZorroVPN.
ZorroVPN is a Belize-based provider that did well in testing for the ZorroVPN review. Aside from the higher price, the main drawback with ZorroVPN is that they do not offer any custom VPN applications. This causes a few issues:
- You will need to use third-party OpenVPN applications, such as Viscosity, Tunnelblick, or others.
- You will need to manually create the multi-hop VPN server configuration file, and then import the file into your VPN application. In other words, you can’t simply create or change a multi-hop cascade directly in the VPN app, such as with Perfect Privacy.
The other issue here is that none of these third-party applications come with built-in leak protection settings. You will need to configure a kill switch and leak protection manually for all devices.
ZorroVPN offers a decent selection of servers and good performance. See the test results in the ZorroVPN review or visit their website for more info.
3. OVPN (two hops)
OVPN is a Swedish VPN service that offers multi-hop configurations through an add-on feature. This feature is $5 per month in addition to your regular VPN subscription. This is similar to ProtonVPN and the Secure Core option, which is more expensive than the basic subscription tier.
You can route traffic over two hops with OVPN. OVPN also supports IPV6.
4. IVPN (two hops)
IVPN is a VPN service based in Gibraltar. It offers users the ability to route traffic over two hops, but does not support IPv6. However, IVPN does support the new WireGuard VPN protocol.
Like some of the others we’ve covered, IVPN prices are above-average, but it is also a fully-featured VPN with clients for all major operating systems and devices.
5. Insorg (five hops)
Insorg is another interesting VPN provider that supports up to five hops. The website discusses a strong stance toward privacy and security, as you can read about here.
There isn’t much information about Insorg, other than what you can find on their website. It’s also one of the most expensive VPNs I’ve seen.
Dynamic multi-hop VPN configurations (NeuroRouting)
The latest development in multi-hop connections and advanced security is NeuroRouting.
This is a unique feature was officially launched in October 2017 by Perfect Privacy.
NeuroRouting is a dynamic, multi-hop configuration that allows you to simultaneously route your traffic across numerous unique/different server configurations in the network. This feature is explained more in my NeuroRouting post, but here are the main points:
- Dynamic – Your internet traffic is dynamically routed across multiple hops in the VPN server network to take the most secure route. The routing path is based on TensorFlow, an open source software for machine learning, and data remains in the network as long as possible. Being based on TensorFlow, the network continually learns the best and most secure route for a given website/server.
- Simultaneous – Each website/server you access will take a unique route. Accessing multiple different websites will give you numerous, unique multi-hop configurations and IP addresses at the same time, corresponding to the location of the website server and the last VPN server in the cascade.
- Server-side – This feature is activated server-side, meaning every time you access the VPN network, NeuroRouting will be active (unless you disable it from the member dashboard). This also means it will work on any device – from routers to Mac OS and Android. Finally, NeuroRouting works with OpenVPN (any configuration) as well as IPSec/IKEv2, which can be used natively on most operating systems.
The image above shows NeuroRouting in action, with the user connected to a VPN server in Iceland, while accessing four different websites located in different parts of the world.
You can learn more about NeuroRouting here.
Multi-hop VPN chains with different VPN providers
Another option is to create chains using more than one VPN provider at the same time. This is sometimes referred to as a “VPN within a VPN” or a “nested chain” of VPNs.
This is a good option for protecting users against a VPN that may be compromised, as well as a VPN server that may be compromised.
Here are a few different ways to do this:
VPN 1 on router > VPN 2 on computer/device
This is an easy setup with a VPN on a router and then using a different VPN service on your computer or device, which is connected through your VPN router. Choosing nearby servers will help minimize the performance hit with this setup.
VPN 1 on computer (host) > VPN 2 on virtual machine (VM)
This is another setup that can be run without much hassle. Simple install VirtualBox (free), install and setup the operating system within the VM, such as Linux (free), and then install and run a VPN from within the VM. This setup can also help protect you against browser fingerprinting by spoofing a different operating system from your host computer.
You can also add a router to the mix, using three different VPN services:
VPN 1 on router > VPN 2 on computer (host) > VPN 2 on virtual machine (VM)
Lastly, you could also create virtual machines within virtual machines, or daisy-chain virtual machines. (If you are new to virtual machines, there are many videos available online that explain setup and use.)
Virtual machines are a great privacy and security tool, since they allow you to create isolated environments for different purposes – also known as compartmentalization. Within VirtualBox, you can create numerous different VMs using various operating systems, such as Linux, which you can install for free. This also allows you to easily create new browser fingerprints with each additional VM, while also concealing your host machine’s fingerprint.
Use Linux – When setting up VMs, I’d recommend running a Linux OS, for the following reasons:
- Free
- Open source
- More private and secure than Windows or Mac OS
Ubuntu is user-friendly and easy to get going in minutes.
Note: Be sure to disable WebGL in Firefox with all your VMs (see the instructions in the Firefox privacy guide using about:config settings). This will prevent graphics fingerprinting since all the VMs will be using the same graphics driver.
We will be covering the topic of nested VPN chains more in the Advanced Privacy Guides series.
Mirimir has also written some guides on setting up nested VPN chains:
- How to create dynamic nested VPN chains.
- A series of guides about using nested VPN chains and Tor.
Conclusion on multi-hop VPNs
A multi-hop VPN configuration is an excellent way to achieve a higher level of privacy and security while also distributing trust across data centers and adding extra layers of encryption.
However, you should also understand that even when routing traffic over numerous hops, you are still placing all your trust in a single VPN service. Therefore this won’t protect you if the VPN itself is compromised. To get around this issue and further distribute trust, you can use nested VPN chains, with we will discuss more in future advanced privacy guides.
One of the simplest methods for using a multi-hop VPN on all devices would be to utilize the NeuroRouting feature from Perfect Privacy. Simply activate NeuroRouting from the member dashboard, and it will automatically be applied to all devices that connect to the VPN, with any protocol, any app, and any device. Because it is a server-side feature, rather than controlled within the client, it will simply work with everything that connects to the VPN.
Here is a recap of the multi-hop VPNs we’ve covered in this guide.
Double-hop VPN services (fixed locations, not self-configurable)
- NordVPN – $3.71 per month (with the 68% discount); based in Panama; 31 double-hop configurations (NordVPN review)
- ProtonVPN – $8.00 per month; based in Switzerland; 48 double-hop servers (ProtonVPN review)
- VPN.ac – $3.75 per month; based in Romania; 22 double-hop configurations (VPN.ac review)
Self-configurable VPN services:
- Perfect Privacy – Up to four servers, plus the NeuroRouting feature; $8.95 per month; based in Switzerland (Perfect Privacy review)
- ZorroVPN – Up to four servers; $10 per month; based in Belize (ZorroVPN review)
- OVPN – Up to two servers; $7.00 per month (but the multi-hop feature is a paid add-on for $5.00/month); based in Sweden
- IVPN – Up to two servers; $8.33 per month; based in Gibraltar
- Insorg – Up to five servers; $15.83 per month; jurisdiction unknown
IVPN also offers a configurable double hop in both their Android app as well as Windows client. You can choose both the entry and exit server.
Yep, it is listed above, along with a few others that we have not yet tested.
When using double-hop VPN, is there a recommended order of choice? I use SurfShark ATM, and currently there are 14 double-hop choices. Since I am in the US, what are your recommendations on which option to choose? Ingress in US and egress remote country or the other way around? Or should both ingress and egress be in remote countries? Hopefully my question makes sense and thank you in advance.
Hi Pete, as for location, I do not think it makes a big difference in terms of privacy or security. I’d go with whichever combination performs the best for you.
Thanks, Sven. It appears, at least thus far, the NL to US is performing well. As FYI, the terminating IP in the US is showing Dallas, TX as the geolocation. I haven’t tried all the others yet, but I’m satisfied with the performance so far. Happy Holidays!
Check out orchid for hops
Does using VPN1 on the operating system and using VPN2’s browser extension offer any sort of benefit?
Sure, there could be some use cases for that.
Would I be able to combine using the multi-hop cascade service from Perfect Privacy with using a different VPN on a router or on a VM (or both)? Would that increase anonymity and security compared to if I were just to use one of these methods?
Yes, you could probably combine the two, although I haven’t tested it.
With regards to tunneling VPN through another VPN using VMs, I contacted several VPN providers including many of the mentioned above and most advised against it, stating that the encryption its self won’t function, meaning that transmission security will deteriorate. I have tried it and surprisingly, I didn’t have speed issue, which made me wonder if encryption is happening at all.
I also contacted OpenVPN.net for the same and they advised against tunneling VPN through another VPN, they also thought that no provider would support that.
The main focus when using a VPN is to enhance the transmission encryption/Security and avoid malware injection to the transmission.
Appreciate your thorough advise.
It’s very easy to do. And you shouldn’t need any support from the VPN itself. If they offer a Windows client, then it will work in a Windows VM. It’s that easy.
But if you don’t want to deal with VPNs, then just use a high-powered VPN router with one VPN, and then another VPN service on your computer. This works well too. I do it with the Vilfo router.
Hello,
WindScribe also offer Double Hop feature.
Best regards,
I only saw 22 double hop configurations for NordVPN but I am very happy with the performance of the one that I am using. The website could be better for selecting servers, but I am a set it and forget it type when it comes to things like this. I disagree with you on one point. A single hop VPN is fine if you’re trying to prevent your real IP being revealed to peers online. But with no privacy laws anymore in the US even on intermediary networks, you need a double hop going outside the country and then back in so as not to run into some real pains in the neck when it comes to purchasing goods online. In my book, a single hop to Canada would normally be good enough if not for that. But given that some geolocation goes strictly on your IP address including what form of money you are paying in, you need a US exit node.
Hi Sven,
Thank you for this (again) very useful article!
Just for the record, it seems that Surfshark also offers double-hop VPN services (fixed locations, not self-configurable), although they call it “multi-hop”:
https://support.surfshark.com/hc/en-us/articles/360026295774-MultiHop-guide
Cheers
Indeed, I’ll add Surfshark to the next update. Thanks.
So I am working with pfSense and have access to two VPN providers that permit multiple simultaneous connections. I understand that they have to be logged into and that is the final downfall once reviewed by law enforcement if the providers are not keeping up their end of the no logs policy, I’m just working on this as a project. If I’m going to break the law and do something stupid to risk my freedom I’d at least start with an air gaped machine and crack a random victims WiFi, but I enjoy going outside when I feel like it. I have established multiple VPN Clients within the Firewall/Router, starting with say connection 1 to provider 1 via my WAN, connection 2 connects to provider 2 via OpenVPN connection 1. Now I create connection 3 using another connection from provider 1 which in turn connects to connection 2 as it’s WAN. In theory I feel like this works, but in the end all I’ve done is secured data through connection 1 and 2 while directly connecting to connection 3 right? But then again connection 3 see all traffic as being sent from connection 2 IP Address as it transverses NAT translations. So again in theory any surveillance has to trace the IP Address and port address translation and then finds that connection was coming from connection 2 and again has to back track the port address translation to my ISP IP Address connection to connection 1 right? All of my CCNA, CyberOps, and CEH studies say yes but a second opinion never hurts. Just trying to push the envelope to see if I am missing anything. I’m guessing if I throw a Tor connection in the middle and connect to a VPN at the other end that would be mask even more. Then establish a decentralized connection through Block Chain using the Tachyon project. Now I should be secure in sending end to end encrypted messages via the Signal protocol to say hello to my friends?
Great work respectprivacy.com, please keep it up for us regular folks!
Just to make sure I understand that. What would happen if my setup is VPNonHOST (provider1) -> VPNonROUTER (provider2) and VPNonROUTER would be compromised. Would my router be exposed? If so and if it is a home router than such doublehop setup doesn’t make much sense. Or would it be just VPNonHOST that would be exposed and I’m still good? Thank you.
I’m not sure what “exposed” means exactly in this context, but the idea here is that you have two layers to protect your IP address, location, and identity. So if the VPN router failed to protect this data, the VPN on your host machine (computer) would still keep you safe.
Hi Sven, again really really helpful guide. Not sure how recent this development is but Mullvad also offers ‘double-hop’ VPN configuration with wireguard as part of they standard service, so no extra fees – see for example
https://mullvad.net/en/help/multihop-wireguard/
I tried it on Linux, double hop speeds very fast; you can essentially configure any combination of 2 wireguard servers yourself.
just for info
Cool, I’ll have to add Mullvad to this guide with the next update. Thanks for the info.
Great! – I know slightly different topic (Wireguard vs OpenVPN) but Mullvad multihop with 2 Wireguard servers gives me much higher speeds – ‘background speed’ almost 100 Mbps with no VPN.
With OpenVNP and single VPN server setup -> speeds around 40-50 Mbps;
but using ‘double hop’ Wireguard I get speeds of 60-70 Mbps (similar location used to OpenVPN).
I know still some loss in speed but overall quite impressive I thought.
I happen to have paid for Two VPN’s. PrivateVPN and Surfshark (i paid for Surfshark because it had suchlow prize for 2 years) Surfshark does have a browser extension. If I use swedish (where I live) servers on both I notice no difference in speed while browsing. I get the same result on speedtests with or without the second VPN. If I use a country close on , like Finland, there is a slight delay, but I guess that is quite natural.
But anyhow, just because I can, I use double hop 🙂
Hi, Whch VPN will see visited website if I use the following configuration:
VPN 1 on computer (host) > VPN 2 on virtual machine (VM)
Cheers
VPN 1 could see your real IP address, VPN 2 on VM can see the sites visited.
Hi,
Thank you for your work on this valuable resource. It’s very informative. You say to not “roll your own” VPN. I take the point, but can you clarify? I see it makes sense to not roll your own server at another physical location that only you use. But what about using cloud platforms like Microsoft Azure or Amazon AWS, Google Cloud Platform, Digital Ocean, or some other third party?
Again, all your traffic will still be tied to the IP address of the server, whoever is hosting it. The key issue is your traffic is not getting mixed with other users who are sharing the same IP address.
Hi,
First, thanks for all the great information on this blog. I’m a very basic user (Mac OS, Firefox), and have been using a newer VPN service called Surfshark for a couple of months now. Wondering if you’ve heard of it and what you think?
I also did most of the recommended browser tweaks for Firefox, but Flash doesn’t seem to work anymore, even when enabling it.
Thanks for any input!
Hi, I should have a Surfshark review done in the coming months. I’m trying to get caught up with VPN reviews, email reviews, and other guides.
hi,
Thanks for the information concerning multi-hop vpns. Could clarify a few things? I notice that you said that you could run a vpn on a router and run a vpn on a computer/laptop and it would work as a double vpn. If both vpn connections are with the same provider and not two separate vpn service providers will the connection still be hopped or since both connections are with the same service will the service recognize it and disable one of the connection so that you are only connected to one vpn server?
Is there a way to check and see what IPs your connection is hopped to to verify that you are indeed routed through both vpn servers?
Yes, “double VPN” in that you are encrypting your traffic across two servers, but you could also use different VPN services, or the same one I guess. But if you’re using the same provider, use different locations.
> “Is there a way to check and see what IPs your connection is hopped to to verify that you are indeed routed through both vpn servers?”
Yes. Connect to the router, run a tests to verify your public IP and DNS requests are going through the VPN. Then connect to a VPN on your computer, and repeat tests. A good test page is https://ipleak.net
Thank you very much for your time in making this article, I wish we had more like you!
Hi recently while browsing Swedish state television while abroad via my vpn with Annonine the svt.se still could tell I was abroad and did not allow me to browse some sports.
Another subscription provider stated that as long as I was using a VPN provider they would not allow me to view any programs – as I for the moment work out of Germany it was not an issue as they are allowed to send to all Europe – my concern is if I am outside Europe they will then not allow me to view anything.
any ideas how to beat this new issue?
cheers
If you want to stream without getting blocked, I would recommend ExpressVPN. It works well with streaming media and not getting detected as a VPN. Other VPNs are generally not as good with this issue and are usually blocked by Netflix, BBC iPlayer, Hulu, etc.
Hey, this question might be off topic but it is still regarding online privacy with VPNs. So, what about Tor? How anonymous are you while browsing using Tor over VPN? Can the traffic be linked back to you?
I use cyberghost VPN which has passed every leak test that I’ve ran (on websites) and isn’t on any of the 14eyes country (Romania) and has a no logging policy. Now reading about the guy paying anonymously for his VPN I wonder: I paid for a lifetime subscription (one time payment) but registered a disposable email with an unique username. Can my traffic be somehow traced back to me?
When I fell into the hype about the dweb I began browsing tor on a sandboxed VM over VPN. Would you recommend that set-up?
Do you know anything about Mexican cybersecurity? I.e. Their capability. Do you know how the requests between a federal body and a foreign country’s company/government work? I mean, if they are obliged to comply, when it is worth to do so, how often does this happen, etc? You just seem to have all the answers to my curious questions.
Excellent well-documented and well-written article. Kudos!
Hi there, you might find the Tor browser guide interesting, I’m not sure about Mexican cybersecurity.
Sven,
question regarding nesting vpns:
Would there be any issues combining Perfect Privacy(configured with multi hops) installed on my computer with a different vpn provider installed on my router ?
Not sure if combining a multiple hop vpn on my computer with a vpn router(different vpn provider), is effectively adding an additional hop?
thanks
t
Hello, yes, that should work.
Single-hop VPN on your router connected to a nearby server > Perfect Privacy on your computer using multi-hop VPN configurations.
Using more than one VPN is also smart in the event that one service is (theoretically) compromised, your data will still be secure.
Thanks for an informative article, I’m a casual user and for me I didn’t really see how i would if i wanted to enable several layers wo being alot more knowledgeable.
Keep up the good work to counteract tyrannical normative agenda (making information easy to access) set by the hidden plutocracy.
I have a question, im sure you got asked that before, but i really had this question for a long time without having an accurate answer!
Let’s say that you bought a phone from a country that is proven to have spy on people.
Like for example a phone from America or China!
Does that mean they can automatically spy on you and detect what you do with the phone because it’s made in there?!
Or when u buy a phone from one of those country’s without using any of the tools that they created like Gmail etc.
They can’t reach you like other users?
I’m sorry maybe the question is easy but I made it difficult, but you get what I say , I hope 🙂
Hi, this is a big topic, but it has more to do with the operating system and hardware, rather than where the phone was purchased. For example, Android phones purchased anywhere could collect data and hand this over to the NSA through the PRISM surveillance program. Speaking of phones, you may want to check out the Librem 5, although not yet released: https://puri.sm/products/librem-5/
Have you had time to check out NordVpn’s new Linux app?
https://nordvpn.com/download/linux/
Not yet.
I am a user of Nord on Linux .It is the easiest VPN to set up on Linux I have found. There app is by far the best one I have seen thus far as far as simplicity goes . Just type Nordvpn -help and it gives you all the commands to navigate . I use the VPN + proxy setup . First launch the app ; connect , then launch Firefox and connect to the second server .
I tried Perfect Privacy on Linux . It took several hours for me to get the multi-hop feature to work .
I love your blog but I find it funny that a lot is discussed about VPNs, but always for Windows. Microsoft (aka the surveillance corporation) is not trustable. Using a VPN on Windows is the same as going out on a stormy day with an umbrella, naked. If you want real privacy, the first thing to consider is the OS. Everything else is secondary, including the VPN.
Hello, thanks for the feedback. Indeed, Linux is the way to go, even though most people are still on Windows and Mac (desktop) or Android and iOS. Nonetheless, I’ll work on publishing more information about Linux and privacy.
Wow…awesome write-up. Thank you for publishing it!!!
Hello, Sven, You may want to add “Qomui” to this artice. It is an OpenVPN Management UI for Linux and supports “double-hop VPN connections (VPN chains) between different providers”
https://github.com/corrad1nho/qomui
Hi Joe, thanks for sharing that. Looks good.
So , if I have four PC`s in my home and have Perfect Privacy open vpn setup on my router and I am connected to let’s say Sweden. Can i then use multi hop connection on just one PC with open vpn manager to cascade to vpn servers at different locations while if another home PC goes online will still be going through Swedish server?
I am assuming that router multi hop configurations are not possible with Perfect Privacy.
“So , if I have four PC`s in my home and have Perfect Privacy open vpn setup on my router and I am connected to let’s say Sweden. Can i then use multi hop connection on just one PC with open vpn manager to cascade to vpn servers at different locations while if another home PC goes online will still be going through Swedish server?”
Correct.
“I am assuming that router multi hop configurations are not possible with Perfect Privacy.”
Correct – unless you enable NeuroRouting, then you will still get the dynamic multi-hop on every device that connects to the router.
The only VPN I know of that you can use static multi-hop locations on your router is ZorroVPN. You just need to use their OpenVPN file config generator, choose the locations for the cascade, and then download the OpenVPN config and import it onto your router.
vpn(in your router)+tortilla adapter(in your machine)+vpngate(in your virtual machine wich uses tortilla adapter )=safe to watch porn.
Thanks for the tip!
Do Perfect Privacy require their apps to do double/multi-hop or do they provide configs as well? I tend to stay away from VPN apps on mobile (iOS) and prefer using the operating system’s native settings. That way I don’t have to worry about a sudden iOS update breaking app compatibility, among other things. The other reason is that I tend to run my iPhone in supervised mode (sort of like MDM for those who don’t know) in order to have a true kill-switch equivalent. I see that Perfect Privacy has IKEv2/IPSEC available (ideal for iOS), but couldn’t find anything related to multi-hop.
Hi Matti, Perfect Privacy gives you a config generator for different protocols, including IPSec/IKEv2 config files for MacOS and iOS. I’ve used this myself and I also included screenshots of testing in the Perfect Privacy review (works well).
Regarding multi-hop you have two options with PP:
1) Use their custom VPN clients, to create self-configurable multi-hops in the VPN client (for Windows, Mac OS, and Linux). But since you are using IKEv2 without an app, this doesn’t apply.
2) The second option is NeuroRouting. This is a server-side feature that you enable in the member dashboard, and it will be enabled with anything that connects to the VPN, including iOS and Mac OS devices using IKEv2. This can easily be enabled/disabled from the member dashboard (you don’t have to use it and it’s not for everyone). Their TrackStop filter works the same way – these are server-side features that are applied server-wide to your account (rather than activated through an app).
Note: If you are using the PP VPN client, you can also combine self-configurable multi-hops with NeuroRouting – although performance won’t be great due to high latency.
How about using an OpenVPN app, and then in the browser, using another ssl-vpn/browser based vpn.. Now you have 2 tunnels, and they are not by the same company. You turn on the browser only when the OpenVPN client is turned on and assigns you an IP. That way, when you signup for a trial in the browser-only vpn, they simply have your vpn-assigned address, not your isp assigned one.
Plus, select the VPn in a non 14eyes country like Romania, and get the browser-vpn-ssl tunnel to connect to Ukraine (yes, this country is available in such vpn extensions in chrome and firefox) and now you are better protected than just a single hop vpn.
Hi Tony, good idea. That’s exactly what you can do with VPN.ac using their secure browser proxy extension in combination with the VPN client. In fact, you can choose double-hop servers for both the VPN and also the browser extension. I need to update this guide with that information.