What is a multi-hop VPN

Simply put, a multi-hop VPN adds an extra layer of encryption and an additional server to your normal VPN connection by “chaining” or “cascading” two or more VPN servers together. The purpose is to boost the security and privacy provided by a standard, single-server VPN connection.

Multi-hop VPNs are sometimes called double VPNs, although any number of VPN servers can be included in the chain.

What’s wrong with a normal VPN?

A normal VPN connection routes both incoming and outgoing internet traffic through a single VPN server.

  1. Your data is encrypted on your device,
  2. sent to the VPN server,
  3. decrypted on the VPN server,
  4. and sent on to its final destination.

The same process happens in reverse for incoming traffic.

A normal setup like this provides sufficient privacy and security for most users. That being said, it’s not without its weaknesses. If that server is somehow compromised, your Internet Service Provider (ISP), government agencies, network administrators, websites, apps, and hackers could correlate the traffic going into the VPN server with the traffic going out. Even though your traffic is encrypted, it can still be correlated to unencrypted traffic through time stamps, amount of data transferred, and the IP addresses of VPN server.

The VPN server can record your real IP address and online activity even if it claims to have a “no logs” policy. Assuming the VPN provider is trustworthy, providers don’t normally own their own data centers, where the servers are housed.

An attacker can see the IP address of the VPN server you’re connected to. If they can somehow breach the data center where that VPN server is housed, the user is vulnerable to traffic correlation. The encrypted traffic between the end user device and the server can be correlated with the decrypted traffic between the server and the web, identifying the user.

If a well-armed adversary was to somehow compromise your connection to the VPN server—servers in data centers can be hacked, abused by staff, or monitored by government agencies—then they could trace your online activity back to you.

Multi-hop VPN advantages

A small handful of VPN providers offer multi-hop VPNs as part of their subscriptions. Our top recommendation is NordVPN, which runs a couple dozen double-hop VPNs to multiple countries. You also get a no-logs policy, fast servers, live support, and strong encryption.

NordVPN double-hop VPN

EXCLUSIVE DEAL:Save 75% on NordVPN’s three-year deal here. That works out to only $2.99/mo.

Better security, privacy, and anonymity

Double-hop VPN

A multi-hop VPN attempts to mitigate these threats. Here’s how a typical double-hop VPN works:

  1. Your data is encrypted on your device once,
  2. then encrypted on your device a second time (two layers of encryption).
  3. The encrypted data is sent to the first VPN server.
  4. The second layer of encryption is removed.
  5. The encrypted data is sent to the second VPN server.
  6. The first layer of encryption is removed and the data is fully decrypted.
  7. The decrypted data is sent on to its final destination.

Note that each layer of encryption is removed in the reverse order that it was applied—last in, first out. The first VPN to encrypt data on the device will be the last server in the chain, and the last one to encrypt data will be the first in the chain.

This tunnel within a tunnel solves a few of the problems that normal VPN connections can be affected by:

  • Although your ISP or an attacker can see your data going to a VPN server, they cannot see the second VPN server, and therefore cannot monitor traffic coming out of the VPN to correlate with the encrypted data going in.
  • Similarly, websites and apps you use while connected to a multi-hop VPN can see the second VPN server where traffic exits, but not the first one where it enters, making correlation nearly impossible.

Most VPNs use shared IP addresses, meaning all the users connected to a single server are assigned the same IP address. This makes it much more difficult to trace online activity back to a single user. Sending traffic through two pools of users with shared IP addresses makes traffic correlation exponentially more difficult.

If an attacker compromises the first server in the chain, the user’s data is still encapsulated in a second layer of encryption. If an attacker compromises the second server, they will still not be able to trace back any data beyond the first server.

Bypassing censorship

VPNs are frequently used to bypass censorship, whether in an office or school environment or in an autocratic country like China. If the entity doing the censoring figures this out and blocks a range of VPN servers, a double-hop VPN might be necessary to unblock the web.

Let’s say China blocks or throttles all internet traffic to the US, including US-based VPN servers. If you need to access some content that’s only available in the US, switching to a different country won’t suffice. Instead, a multi-hop VPN could allow you to connect to Canada (or another country) first, and then the US. The censor won’t be able to monitor for the US server, and therefore allows the connection to pass through.

See also: Best VPNs for China

Multi-hop VPN disadvantages

Performance and speed

Internet speed and device performance will both take a hit when using a multi-hop VPN.

  • Latency is increased by the added distance that your data must travel.
  • Speed is limited by whichever server in the chain has the least bandwidth available.
  • Decrypting two or more layers of encryption instead of just one is more demanding on your device hardware.

In a rare few cases, the connection between the two servers might be faster than a direct connection to the second server. In this case, a multi-hop VPN can improve latency by navigating around the roadblock, but this scenario seldom occurs in a way that’s reliable enough for a multi-hop VPN to really benefit users over a single VPN.

Will not protect you from your VPN provider

Multi-hop VPNs mitigate some of the traffic correlation risks associated with single server VPN connections, but they won’t protect you from nefarious VPN providers. If both of the servers in the chain belong to the same provider, it would be simple for that provider to monitor your online activity and keep logs of what you do online. Because the provider has control of both servers, using a double VPN does nothing to protect from the VPN provider.

One solution is to use VPN servers from separate providers (see below), and another is to use your own VPN server in combination with a provider’s. These methods require much more technical expertise to set up compared to the multi-hop options built into some provider’s apps, and are beyond the scope of this article. Suffice to say they have their own challenges and privacy issues.

Multi-hop VPN vs Tor

If anonymity is your goal, Tor will probably serve you better than a multi-hop VPN. Tor servers, called nodes or relays, are decentralized, meaning they aren’t operated by a single entity. Tor traffic always passes through at least three of these nodes, which is more than the typical two offered by most multi-hop VPN services.

Each time you access a different domain, your internet traffic takes a different, random route through the Tor network. Each node only knows the location of other nodes that immediately precede and follow it. That means no one node has knowledge of the entire route that your traffic takes to its destination. Similar to a multi-hop VPN, each node removes a layer of encryption, revealing the IP address of the next node in the chain.

Tor does not allow you to choose where these nodes are located, whereas a multi-hop VPN does. Tor is also somewhat vulnerable to traffic analysis, although it’s extremely rare. Many apps and websites might block internet traffic from Tor exit nodes. And Tor is generally slower than a VPN.

Tor + VPN

It’s possible to combine Tor with a VPN, but experts argue as to whether this actually provides much benefit to the user. The easiest way to use Tor with a VPN is to simply connect to a VPN and then open the Tor Browser. Traffic will first be sent through the VPN, and then through the Tor network.

If you’re feeling like you need to maximize your privacy at the cost of performance, a multi-hop VPN combined with Tor is certainly an option, but probably not one that’s necessary for the vast majority of users.

Read more about how Tor can be used with a VPN here.

Can I use two VPNs at the same time on the same device?

It is possible to connect two VPN clients to separate servers at the same time on a single device. However, this will generally not result in a multi-hop VPN as we have described above. Instead, multiple VPNs on a single device are typically set up for split tunneling. In other words, it creates two parallel tunnels instead of a tunnel inside a tunnel.

Split tunneling uses a set of rules that determine the routes your internet traffic will take, depending on its source or type. For example, you may want BitTorrent traffic to travel through one VPN, and data from all your other apps to travel through a different VPN. So long as the two rulesets that determine this behavior do not overlap, the two VPNs can operate independently.

Simply installing two VPN apps on a single device and connecting both without establishing IP routes ahead of time can cause trouble, such as memory leaks and DNS errors. The exact result varies depending on the particular VPN clients’ implementation.

We tested a few VPNs on Windows 10 just to see what would happen if we connect them at the same time. In our testing, either the first VPN prevented the second from connecting at all (ExpressVPN prevents NordVPN from connecting), or the second VPN took over completely (PrivateVPN took over even though Ivacy was still connected). The VPNs did not operate in tandem, and running a traceroute gave the same results with one VPN connected as with two.

In short, connecting two VPNs at the same time on the same device is not the same as using a multi-hop VPN and can result in undesirable behavior and errors.

Chaining VPN servers from different providers

If you want to chain VPN servers from different providers, a better option is to set up one VPN on your laptop or smartphone, and the second VPN on your wifi router or a virtual machine. This has a similar result to using a double-hop VPN from a provider like NordVPN. The flow of data looks like this:

  • VPN A on your device encrypts data and sends it to the router or VM.
  • VPN B on the router or VM encrypts the data a second time and sends it to VPN B’s server.
  • VPN server B receives the data, removes the second layer of encryption, and sends it on to VPN server A.
  • VPN server A receives the data, removes the first layer of encryption, and sends the fully decrypted data on to its destination.

The process is reversed for incoming internet traffic. Websites and apps can only trace traffic back to VPN server A, while your ISP can only see that information is being sent to VPN server B.