Multi-Hop VPNs for Maximum Privacy & Security (How-To Guide)

A multi-hop VPN simply encrypts your connection across two or more servers (multiple hops) before exiting on to the regular internet. Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security – even if one server were to be compromised.

In this guide we will explain why people are using multi-hop VPNs and how they can help you achieve higher levels of privacy and security. The key factor when considering whether you need a multi-hop VPN is your threat model. How much privacy do you need and want for your unique situation?

Disclaimer: For the majority of users, a multi-hop VPN may be overkill and not worth the performance tradeoffs (increased latency and slower speeds). A standard (single-hop) VPN setup with strong OpenVPN encryption, zero leaks, and other privacy tools (secure browser, ad/tracking blocker, etc.) should be adequate.

However, for those interested in achieving higher levels of privacy and security, there are multi-hop VPNs.

Surveillance and advanced online anonymity

A multi-hop VPN is a good privacy tool against targeted monitoring and other theoretical attack vectors we will discuss below. It may also be useful for those in dangerous situations, such as journalists or political dissidents living in oppressive countries.

One key question is whether you can trust the data center where the VPN server is located.

VPN services will rent, lease, or colocate servers in data centers all over the world for their network. These servers will be fully encrypted, secured, and under control of the VPN provider, thereby preventing third-party access to sensitive user data and traffic.

What can the data center see with an encrypted VPN server?

Even with strong encryption of the VPN server, the data center (host) – or perhaps an external state surveillance agency – could potentially monitor incoming and outgoing traffic on the server.

While this may seem alarming, it would still be very difficult for the data center (or third party) to gather useful information because:

• The traffic remains securely encrypted on the VPN tunnel, which right now is considered to be unbreakable (AES-256 encryption with the OpenVPN protocol, for example).
• Correlating outgoing traffic with incoming traffic is extremely difficult. Theoretically, traffic correlation for some users may be possible through advanced statistical analysis and studying traffic patterns. However, this remains difficult, especially on a large scale, even for powerful adversaries.
• Most VPNs utilize shared IPs, with many users on a given server (and IP address) at the same time, with all traffic being mixed. (Note: this is also why you should not “roll your own VPN” that only you will be using).

Even though a standard, single-hop VPN configuration will be adequate for the vast most users, incoming/outgoing traffic correlation may still be possible – at least in theory.

Are data centers really being targeted for traffic correlation attacks?

We have no way to know for sure. In many cases when authorities wanted customer data, they simply went to the data center and physically seized the server:

In other cases, some VPNs have cooperated with authorities and handed over user information after being pressured by law enforcement agencies. These cases related to criminal investigations being conducted by US authorities. See for example the IPVanish logs case and also the PureVPN logging example.

Multi-hop VPN cascade

The first example of a multi-hop VPN we will examine is a “cascade” – where traffic is encrypted across two or more of the VPN’s servers.

One provider offering the ability to create custom VPN cascades with up to four servers is Perfect Privacy. Here is a basic visual explanation of how that would work using a four-hop VPN cascade:

In the picture above, the user’s identity is changed at every hop and re-encrypted using OpenVPN 256-bit AES encryption (for example), before the traffic exits the VPN cascade on to the regular internet. With every hop, the new VPN server only gets the previous VPN server’s IP address/location – further obscuring and protecting the user’s true identity.

Perfect Privacy also makes some interesting points in their multi-hop VPN article:

With a cascaded connection this [traffic correlation] attack becomes much more difficult because while the ISP/eavesdroper still knows the VPN entry node of the user, it does not know on which server the traffic exits. He would need to monitor all VPN servers and take a guess at which exit node the user is using. This makes it next to impossible to successfully identify users by traffic correlation.

Also it is theoretically possible that an attacker has physical access to the VPN server in the data center. In that case he can possibly execute a de-anonymization attack on the VPN user. A cascaded connection protects against this attack vector: Since the user’s traffic is encapsulated with an additional layer of encryption for each hop in the cascade, no traffic can be read or correlated with incoming traffic.

The attacker would still see outgoing encrypted traffic to another VPN server but he cannot determine whether this is a middle or exit node. To successfully intercept and decrpyt the traffic, the attacker would need to have physical access to all hops in the cascade simultaneously. This is practically impossible if the hops are in different countries.

Using a multi-hop setup with strong encryption and other privacy tools provides you with a high level of online anonymity and security.

Double-hop VPNs

Double-hop VPN servers are a unique feature with some VPN providers.

With a double-hop VPN configuration, the first server could see your originating IP address, and the second server could see your outgoing traffic, but neither server would have both your IP address and your outgoing traffic.

This setup should still offer decent performance and it will also offer a higher level of security and privacy over a single-hop setup.

There are a few VPNs offering double-hop configurations that I have tested and found to work well:

Performance: In my testing, I have found that you can still get excellent speeds with some double-hop VPNs. Below is an example where I hit over 116 Mbps download speed with NordVPN on the Switzerland > Sweden connection. My baseline (non-VPN) speed was around 155 Mbps (tested from Germany).

You can see server options and prices on the NordVPN website.

One drawback with the double-hop VPNs mentioned above is that they only offer static configurations. This means that you cannot configure your own unique multi-hop VPN using any server in the network.

Additionally, you can also create double-hop connections with VPNs that offer self-configurable server selection, which we’ll examine more below.

Browser proxy extension + VPN client with VPN.ac

Another useful privacy tool is a secure proxy browser extension, which can be combined with a VPN client on the operating system. VPN.ac offers a secure proxy browser extension for Firefox, Chrome, and Opera browsers. The extension encrypts all traffic within the browser using TLS (HTTPS) and is fast and lightweight.

In the image below, you can see I’m connected to a VPN server in Sweden with VPN.ac’s desktop application, while also connected to a server in New York through the browser proxy extension.

Just like with their VPN application, VPN.ac also offers double-hop proxy locations for the browser. This means you could be running a double-hop VPN server connection on the desktop VPN client, and also a separate double-hop connection through the browser. Since the browser extension works independently (unlike most other VPN browser extensions), it can be combined with a different VPN service running on the desktop client.

Self-configurable multi-hop VPNs

A self-configurable multi-hop VPN allows you to individually select the servers in the VPN cascade. Here are a few VPN services offering this feature.

1. Perfect Privacy (four hops)

Perfect Privacy allows you to create self-configurable VPN cascades with up to four hops directly in the VPN client. I tested this feature out for the Perfect Privacy review with both the Windows and Mac OS clients and found everything to work well.

Here is a four-hop VPN server cascade: Frankfurt >> Copenhagen >> Calais >> Malmo

With this configuration, your true identity and IP address will be protected behind four different encrypted VPN servers.

Every website you visit will only see the server details of the last hop in the VPN cascade. You can simply enable the multi-hop configuration setting, and then dynamically add or remove VPN servers in the VPN client. The last server in the cascade will reflect your publicly-visible IPv4, IPv6, and DNS resolvers.

You can also see above that Perfect Privacy is providing me with both an IPv4 and IPv6 address – they are one of the few VPNs offering full IPv6 support.

2. ZorroVPN (four hops)

Another option I’ve for a four-hop VPN cascade is with ZorroVPN.

ZorroVPN is a Belize-based provider that did well in testing for the ZorroVPN review. Aside from the higher price, the main drawback with ZorroVPN is that they do not offer any custom VPN applications. This causes a few issues:

• You will need to use third-party OpenVPN applications, such as Viscosity, Tunnelblick, or others.
• You will need to manually create the multi-hop VPN server configuration file, and then import the file into your VPN application. In other words, you can’t simply create or change a multi-hop cascade directly in the VPN app, such as with Perfect Privacy.

The other issue here is that none of these third-party applications come with built-in leak protection settings. You will need to configure a kill switch and leak protection manually for all devices.

ZorroVPN offers a decent selection of servers and good performance. See the test results in the ZorroVPN review or visit their website for more info.

3. OVPN (two hops)

OVPN is a Swedish VPN service that offers multi-hop configurations through an add-on feature. This feature is $5 per month in addition to your regular VPN subscription. This is similar to ProtonVPN and the Secure Core option,  which is more expensive than the basic subscription tier.

You can route traffic over two hops with OVPN. OVPN also supports IPV6.

4. IVPN (two hops)

IVPN is a VPN service based in Gibraltar. It offers users the ability to route traffic over two hops, but does not support IPv6. However, IVPN does support the new WireGuard VPN protocol.

Like some of the others we’ve covered, IVPN prices are above-average, but it is also a fully-featured VPN with clients for all major operating systems and devices.

5. Insorg (five hops)

Insorg is another interesting VPN provider that supports up to five hops. The website discusses a strong stance toward privacy and security, as you can read about here.

There isn’t much information about Insorg, other than what you can find on their website. It’s also one of the most expensive VPNs I’ve seen.

Dynamic multi-hop VPN configurations (NeuroRouting)

The latest development in multi-hop connections and advanced security is NeuroRouting.

This is a unique feature was officially launched in October 2017 by Perfect Privacy.

NeuroRouting is a dynamic, multi-hop configuration that allows you to simultaneously route your traffic across numerous unique/different server configurations in the network. This feature is explained more in my NeuroRouting post, but here are the main points:

• Dynamic – Your internet traffic is dynamically routed across multiple hops in the VPN server network to take the most secure route. The routing path is based on TensorFlow, an open source software for machine learning, and data remains in the network as long as possible. Being based on TensorFlow, the network continually learns the best and most secure route for a given website/server.
• Simultaneous – Each website/server you access will take a unique route. Accessing multiple different websites will give you numerous, unique multi-hop configurations and IP addresses at the same time, corresponding to the location of the website server and the last VPN server in the cascade.
• Server-side – This feature is activated server-side, meaning every time you access the VPN network, NeuroRouting will be active (unless you disable it from the member dashboard). This also means it will work on any device – from routers to Mac OS and Android. Finally, NeuroRouting works with OpenVPN (any configuration) as well as IPSec/IKEv2, which can be used natively on most operating systems.

The image above shows NeuroRouting in action, with the user connected to a VPN server in Iceland, while accessing four different websites located in different parts of the world.

You can learn more about NeuroRouting here.

Multi-hop VPN chains with different VPN providers

Another option is to create chains using more than one VPN provider at the same time. This is sometimes referred to as a “VPN within a VPN” or a “nested chain” of VPNs.

This is a good option for protecting users against a VPN that may be compromised, as well as a VPN server that may be compromised.

Here are a few different ways to do this:

VPN 1 on router > VPN 2 on computer/device

This is an easy setup with a VPN on a router and then using a different VPN service on your computer or device, which is connected through your VPN router. Choosing nearby servers will help minimize the performance hit with this setup.

VPN 1 on computer (host) > VPN 2 on virtual machine (VM)

This is another setup that can be run without much hassle. Simple install VirtualBox (free), install and setup the operating system within the VM, such as Linux (free), and then install and run a VPN from within the VM. This setup can also help protect you against browser fingerprinting by spoofing a different operating system from your host computer.

You can also add a router to the mix, using three different VPN services:

VPN 1 on router > VPN 2 on computer (host) > VPN 2 on virtual machine (VM)

Lastly, you could also create virtual machines within virtual machines, or daisy-chain virtual machines. (If you are new to virtual machines, there are many videos available online that explain setup and use.)

Virtual machines are a great privacy and security tool, since they allow you to create isolated environments for different purposes – also known as compartmentalization. Within VirtualBox, you can create numerous different VMs using various operating systems, such as Linux, which you can install for free. This also allows you to easily create new browser fingerprints with each additional VM, while also concealing your host machine’s fingerprint.

Use Linux – When setting up VMs, I’d recommend running a Linux OS, for the following reasons:

• Free
• Open source
• More private and secure than Windows or Mac OS

Ubuntu is user-friendly and easy to get going in minutes.

Note: Be sure to disable WebGL in Firefox with all your VMs (see the instructions in the Firefox privacy guide using about:config settings). This will prevent graphics fingerprinting since all the VMs will be using the same graphics driver.

We will be covering the topic of nested VPN chains more in the Advanced Privacy Guides series.

Mirimir has also written some guides on setting up nested VPN chains:

Conclusion on multi-hop VPNs

A multi-hop VPN configuration is an excellent way to achieve a higher level of privacy and security while also distributing trust across data centers and adding extra layers of encryption.

However, you should also understand that even when routing traffic over numerous hops, you are still placing all your trust in a single VPN service. Therefore this won’t protect you if the VPN itself is compromised. To get around this issue and further distribute trust, you can use nested VPN chains, with we will discuss more in future advanced privacy guides.

One of the simplest methods for using a multi-hop VPN on all devices would be to utilize the NeuroRouting feature from Perfect Privacy. Simply activate NeuroRouting from the member dashboard, and it will automatically be applied to all devices that connect to the VPN, with any protocol, any app, and any device. Because it is a server-side feature, rather than controlled within the client, it will simply work with everything that connects to the VPN.

Here is a recap of the multi-hop VPNs we’ve covered in this guide.

Double-hop VPN services (fixed locations, not self-configurable)

1. NordVPN – $3.71 per month (with the 68% discount); based in Panama; 31 double-hop configurations (NordVPN review)
2. ProtonVPN – $8.00 per month; based in Switzerland; 48 double-hop servers (ProtonVPN review)
3. VPN.ac – $3.75 per month; based in Romania; 22 double-hop configurations (VPN.ac review)

Self-configurable VPN services:

1. Perfect Privacy – Up to four servers, plus the NeuroRouting feature; $8.95 per month; based in Switzerland (Perfect Privacy review)
2. ZorroVPN – Up to four servers; $10 per month; based in Belize (ZorroVPN review)
3. OVPN – Up to two servers; $7.00 per month (but the multi-hop feature is a paid add-on for $5.00/month); based in Sweden
4. IVPN – Up to two servers; $8.33 per month; based in Gibraltar
5. Insorg – Up to five servers; $15.83 per month; jurisdiction unknown

Final Disclaimer and Instructions from NetTodays

NetTodays is a platform for Best VPN Review and Which VPN Service is Best for you.  How to get Best Free VPN Review without the expense. NetTodays suggest how to utilize the most recent VPN and reviews about What is the Best VPN for Netflix. Best VPN built for speed, you can select a server at the country or city level and can favorite a location for future use. NetTodays help you to understand that What is the Best VPN on the Market. NetTodays provide you all these reviews and recondition about Best VPNs for Gaming

A VPN is a service that both encrypts your data and hides your IP address by bouncing your network activity through a secure chain to another server miles away. This obscures your online identity, even on public Wi-Fi networks, so you can browse the internet safely, securely, and anonymously.

NetTodays gives you answers to all questions which are in your mind about VPN.

NetTodays also suggest continually utilizing Best VPN when you are using a newer Wi-Fi Network. Here is a decent dependable guideline: If you’re away from the workplace or home, and you’re utilizing another person’s Wi-Fi (even that of a relative or a companion, since you can’t be sure whether they’ve been compromised), utilize a VPN. It’s especially significant in case you’re getting to help that has specifically distinguishing data. Keep in mind, a great deal goes on in the background, and you never truly know whether at least one of your applications is verifying behind the scenes and putting your data in danger.