Multi-Hop VPNs for Maximum Privacy & Security (How-To Guide)As the threats from advanced tracking and state-sponsored surveillance continue to grow, some privacy enthusiasts are looking for more protection in the form of multi-hop VPNs. If you consider the resources being spent by surveillance agencies to de-anonymize users, choosing a VPN service that offers a higher level of anonymity is indeed a valid consideration.
Surveillance and advanced online anonymityA multi-hop VPN is a good privacy tool against targeted monitoring and other theoretical attack vectors we will discuss below. It may also be useful for those in dangerous situations, such as journalists or political dissidents living in oppressive countries. One key question is whether you can trust the data center where the VPN server is located. VPN services will rent, lease, or colocate servers in data centers all over the world for their network. These servers will be fully encrypted, secured, and under control of the VPN provider, thereby preventing third-party access to sensitive user data and traffic. What can the data center see with an encrypted VPN server? Even with strong encryption of the VPN server, the data center (host) – or perhaps an external state surveillance agency – could potentially monitor incoming and outgoing traffic on the server. While this may seem alarming, it would still be very difficult for the data center (or third party) to gather useful information because:
- The traffic remains securely encrypted on the VPN tunnel, which right now is considered to be unbreakable (AES-256 encryption with the OpenVPN protocol, for example).
- Correlating outgoing traffic with incoming traffic is extremely difficult. Theoretically, traffic correlation for some users may be possible through advanced statistical analysis and studying traffic patterns. However, this remains difficult, especially on a large scale, even for powerful adversaries.
- Most VPNs utilize shared IPs, with many users on a given server (and IP address) at the same time, with all traffic being mixed. (Note: this is also why you should not “roll your own VPN” that only you will be using).
Multi-hop VPN cascadeThe first example of a multi-hop VPN we will examine is a “cascade” – where traffic is encrypted across two or more of the VPN’s servers. One provider offering the ability to create custom VPN cascades with up to four servers is Perfect Privacy. Here is a basic visual explanation of how that would work using a four-hop VPN cascade: In the picture above, the user’s identity is changed at every hop and re-encrypted using OpenVPN 256-bit AES encryption (for example), before the traffic exits the VPN cascade on to the regular internet. With every hop, the new VPN server only gets the previous VPN server’s IP address/location – further obscuring and protecting the user’s true identity. Perfect Privacy also makes some interesting points in their multi-hop VPN article:
With a cascaded connection this [traffic correlation] attack becomes much more difficult because while the ISP/eavesdroper still knows the VPN entry node of the user, it does not know on which server the traffic exits. He would need to monitor all VPN servers and take a guess at which exit node the user is using. This makes it next to impossible to successfully identify users by traffic correlation. Also it is theoretically possible that an attacker has physical access to the VPN server in the data center. In that case he can possibly execute a de-anonymization attack on the VPN user. A cascaded connection protects against this attack vector: Since the user’s traffic is encapsulated with an additional layer of encryption for each hop in the cascade, no traffic can be read or correlated with incoming traffic. The attacker would still see outgoing encrypted traffic to another VPN server but he cannot determine whether this is a middle or exit node. To successfully intercept and decrpyt the traffic, the attacker would need to have physical access to all hops in the cascade simultaneously. This is practically impossible if the hops are in different countries.Using a multi-hop setup with strong encryption and other privacy tools provides you with a high level of online anonymity and security.
Double-hop VPNsDouble-hop VPN servers are a unique feature with some VPN providers. With a double-hop VPN configuration, the first server could see your originating IP address, and the second server could see your outgoing traffic, but neither server would have both your IP address and your outgoing traffic. This setup should still offer decent performance and it will also offer a higher level of security and privacy over a single-hop setup. There are a few VPNs offering double-hop configurations that I have tested and found to work well: Performance: In my testing, I have found that you can still get excellent speeds with some double-hop VPNs. Below is an example where I hit over 116 Mbps download speed with NordVPN on the Switzerland > Sweden connection. My baseline (non-VPN) speed was around 155 Mbps (tested from Germany). You can see server options and prices on the NordVPN website. One drawback with the double-hop VPNs mentioned above is that they only offer static configurations. This means that you cannot configure your own unique multi-hop VPN using any server in the network. Additionally, you can also create double-hop connections with VPNs that offer self-configurable server selection, which we’ll examine more below.
Browser proxy extension + VPN client with VPN.acAnother useful privacy tool is a secure proxy browser extension, which can be combined with a VPN client on the operating system. VPN.ac offers a secure proxy browser extension for Firefox, Chrome, and Opera browsers. The extension encrypts all traffic within the browser using TLS (HTTPS) and is fast and lightweight. In the image below, you can see I’m connected to a VPN server in Sweden with VPN.ac’s desktop application, while also connected to a server in New York through the browser proxy extension. Just like with their VPN application, VPN.ac also offers double-hop proxy locations for the browser. This means you could be running a double-hop VPN server connection on the desktop VPN client, and also a separate double-hop connection through the browser. Since the browser extension works independently (unlike most other VPN browser extensions), it can be combined with a different VPN service running on the desktop client.
Self-configurable multi-hop VPNsA self-configurable multi-hop VPN allows you to individually select the servers in the VPN cascade. Here are a few VPN services offering this feature.
1. Perfect Privacy (four hops)Perfect Privacy allows you to create self-configurable VPN cascades with up to four hops directly in the VPN client. I tested this feature out for the Perfect Privacy review with both the Windows and Mac OS clients and found everything to work well. Here is a four-hop VPN server cascade: Frankfurt >> Copenhagen >> Calais >> Malmo With this configuration, your true identity and IP address will be protected behind four different encrypted VPN servers. Every website you visit will only see the server details of the last hop in the VPN cascade. You can simply enable the multi-hop configuration setting, and then dynamically add or remove VPN servers in the VPN client. The last server in the cascade will reflect your publicly-visible IPv4, IPv6, and DNS resolvers. You can also see above that Perfect Privacy is providing me with both an IPv4 and IPv6 address – they are one of the few VPNs offering full IPv6 support.
2. ZorroVPN (four hops)Another option I’ve for a four-hop VPN cascade is with ZorroVPN. ZorroVPN is a Belize-based provider that did well in testing for the ZorroVPN review. Aside from the higher price, the main drawback with ZorroVPN is that they do not offer any custom VPN applications. This causes a few issues:
- You will need to use third-party OpenVPN applications, such as Viscosity, Tunnelblick, or others.
- You will need to manually create the multi-hop VPN server configuration file, and then import the file into your VPN application. In other words, you can’t simply create or change a multi-hop cascade directly in the VPN app, such as with Perfect Privacy.
3. OVPN (two hops)OVPN is a Swedish VPN service that offers multi-hop configurations through an add-on feature. This feature is $5 per month in addition to your regular VPN subscription. This is similar to ProtonVPN and the Secure Core option, which is more expensive than the basic subscription tier. You can route traffic over two hops with OVPN. OVPN also supports IPV6.
4. IVPN (two hops)IVPN is a VPN service based in Gibraltar. It offers users the ability to route traffic over two hops, but does not support IPv6. However, IVPN does support the new WireGuard VPN protocol. Like some of the others we’ve covered, IVPN prices are above-average, but it is also a fully-featured VPN with clients for all major operating systems and devices.
5. Insorg (five hops)Insorg is another interesting VPN provider that supports up to five hops. The website discusses a strong stance toward privacy and security, as you can read about here. There isn’t much information about Insorg, other than what you can find on their website. It’s also one of the most expensive VPNs I’ve seen.
Dynamic multi-hop VPN configurations (NeuroRouting)The latest development in multi-hop connections and advanced security is NeuroRouting. This is a unique feature was officially launched in October 2017 by Perfect Privacy. NeuroRouting is a dynamic, multi-hop configuration that allows you to simultaneously route your traffic across numerous unique/different server configurations in the network. This feature is explained more in my NeuroRouting post, but here are the main points:
- Dynamic – Your internet traffic is dynamically routed across multiple hops in the VPN server network to take the most secure route. The routing path is based on TensorFlow, an open source software for machine learning, and data remains in the network as long as possible. Being based on TensorFlow, the network continually learns the best and most secure route for a given website/server.
- Simultaneous – Each website/server you access will take a unique route. Accessing multiple different websites will give you numerous, unique multi-hop configurations and IP addresses at the same time, corresponding to the location of the website server and the last VPN server in the cascade.
- Server-side – This feature is activated server-side, meaning every time you access the VPN network, NeuroRouting will be active (unless you disable it from the member dashboard). This also means it will work on any device – from routers to Mac OS and Android. Finally, NeuroRouting works with OpenVPN (any configuration) as well as IPSec/IKEv2, which can be used natively on most operating systems.
Multi-hop VPN chains with different VPN providersAnother option is to create chains using more than one VPN provider at the same time. This is sometimes referred to as a “VPN within a VPN” or a “nested chain” of VPNs. This is a good option for protecting users against a VPN that may be compromised, as well as a VPN server that may be compromised. Here are a few different ways to do this: VPN 1 on router > VPN 2 on computer/device This is an easy setup with a VPN on a router and then using a different VPN service on your computer or device, which is connected through your VPN router. Choosing nearby servers will help minimize the performance hit with this setup. VPN 1 on computer (host) > VPN 2 on virtual machine (VM) This is another setup that can be run without much hassle. Simple install VirtualBox (free), install and setup the operating system within the VM, such as Linux (free), and then install and run a VPN from within the VM. This setup can also help protect you against browser fingerprinting by spoofing a different operating system from your host computer. You can also add a router to the mix, using three different VPN services: VPN 1 on router > VPN 2 on computer (host) > VPN 2 on virtual machine (VM) Lastly, you could also create virtual machines within virtual machines, or daisy-chain virtual machines. (If you are new to virtual machines, there are many videos available online that explain setup and use.) Virtual machines are a great privacy and security tool, since they allow you to create isolated environments for different purposes – also known as compartmentalization. Within VirtualBox, you can create numerous different VMs using various operating systems, such as Linux, which you can install for free. This also allows you to easily create new browser fingerprints with each additional VM, while also concealing your host machine’s fingerprint. Use Linux – When setting up VMs, I’d recommend running a Linux OS, for the following reasons:
- Open source
- More private and secure than Windows or Mac OS
Conclusion on multi-hop VPNsA multi-hop VPN configuration is an excellent way to achieve a higher level of privacy and security while also distributing trust across data centers and adding extra layers of encryption. However, you should also understand that even when routing traffic over numerous hops, you are still placing all your trust in a single VPN service. Therefore this won’t protect you if the VPN itself is compromised. To get around this issue and further distribute trust, you can use nested VPN chains, with we will discuss more in future advanced privacy guides. One of the simplest methods for using a multi-hop VPN on all devices would be to utilize the NeuroRouting feature from Perfect Privacy. Simply activate NeuroRouting from the member dashboard, and it will automatically be applied to all devices that connect to the VPN, with any protocol, any app, and any device. Because it is a server-side feature, rather than controlled within the client, it will simply work with everything that connects to the VPN. Here is a recap of the multi-hop VPNs we’ve covered in this guide. Double-hop VPN services (fixed locations, not self-configurable)
- NordVPN – $3.71 per month (with the 68% discount); based in Panama; 31 double-hop configurations (NordVPN review)
- ProtonVPN – $8.00 per month; based in Switzerland; 48 double-hop servers (ProtonVPN review)
- VPN.ac – $3.75 per month; based in Romania; 22 double-hop configurations (VPN.ac review)
- Perfect Privacy – Up to four servers, plus the NeuroRouting feature; $8.95 per month; based in Switzerland (Perfect Privacy review)
- ZorroVPN – Up to four servers; $10 per month; based in Belize (ZorroVPN review)
- OVPN – Up to two servers; $7.00 per month (but the multi-hop feature is a paid add-on for $5.00/month); based in Sweden
- IVPN – Up to two servers; $8.33 per month; based in Gibraltar
- Insorg – Up to five servers; $15.83 per month; jurisdiction unknown
Final Disclaimer and Instructions from NetTodays
NetTodays is a platform for Best VPN Review and Which VPN Service is Best for you. How to get Best Free VPN Review without the expense. NetTodays suggest how to utilize the most recent VPN and reviews about What is the Best VPN for Netflix. Best VPN built for speed, you can select a server at the country or city level and can favorite a location for future use. NetTodays help you to understand that What is the Best VPN on the Market. NetTodays provide you all these reviews and recondition about Best VPNs for Gaming
A VPN is a service that both encrypts your data and hides your IP address by bouncing your network activity through a secure chain to another server miles away. This obscures your online identity, even on public Wi-Fi networks, so you can browse the internet safely, securely, and anonymously.
NetTodays gives you answers to all questions which are in your mind about VPN.
NetTodays also suggest continually utilizing Best VPN when you are using a newer Wi-Fi Network. Here is a decent dependable guideline: If you’re away from the workplace or home, and you’re utilizing another person’s Wi-Fi (even that of a relative or a companion, since you can’t be sure whether they’ve been compromised), utilize a VPN. It’s especially significant in case you’re getting to help that has specifically distinguishing data. Keep in mind, a great deal goes on in the background, and you never truly know whether at least one of your applications is verifying behind the scenes and putting your data in danger.