GUIDE

Chaining VPN servers (or “Double VPN”)

It is possible to “chain” VPN servers so that your data is routed between two or more VPN servers as it travels between you and the internet. Such chaining can provide some security benefits, but will always result in a major loss of speed.

Your PC/device -> VPN server 1 -> VPN server 2 -> Internet

Chaining VPN servers is possible using either a VPN service that offers it as a feature, or you can do it yourself using a Virtual Machine (VM).

Double-hop VPN services

Some VPN services offer multihop VPN connections, allowing you to route your VPN connection through two or more of their servers. The most prominent of these are NordVPN and IVPN, but some smaller providers (which I am not familiar with) also offer this as a feature.

The advantage of chaining VPN servers in this way is that the VPN provider does all the hard work. It is usually simply a matter of selecting the correct profile in the VPN client, and everything else is taken care of automatically.

NordVPN double-hop

NordVPN only supports “Double VPN” through its Austria -> Netherlands servers. As you can see, data is re-encrypted as it leaves each server

IVPN Multi-hop

IVPN, on the other hand, allows you to double-hop through any of its servers

Aside from the fact that any extra hops will seriously slow down your internet connection (see our IVPN Review for some speed test results), I am very dubious about the value of such a setup. This is because the VPN provider still routes the signal, so:

a) Adversaries will be easily able to trace a user to that VPN service, and

b) The provider still does the routing, so it knows exactly who is connected to what, no matter how many servers your data is routed through.

Of course, if the provider keeps no logs, uses shared IP’s, etc., it may not be able to turn over any information, but this is exactly the same as if a single VPN server was being used!

If the VPN provider is not compromised, then multi-hopping through servers located in countries where an adversary has no leverage might help prevent it tracking a connection back to you. For example, if you are concerned about being traced by the NSA, double-hoping through servers located China and Russia might conceivably make life difficult for the NSA. However:

a) Very few providers actually offer servers located in such locations (and China bans all VPN services)

b) Can you really trust VPN servers located in such counties?

Chaining VPN servers yourself

Another option is to chain VPN servers yourself using Virtual Machines. Virtual Machines effectively allow you run one Operating System (OS) inside another. It is therefore possible to connect to one VPN service using your primarily OS, and then connect to a second one from within the VM.

All connections from within the Virtual Machine will be routed through both VPN servers (with the one your primary OS is connected to being the first).

A 2 server chain using a Virtual Machines would, therefore, work something like this:

PC -> VPN 1 -> Virtual Machine  -> VPN 2 -> Internet

The advantages of this over using a double-hop VPN service are:

  • You are protected by 2 completely different VPN services, making it twice as difficult for an adversary to identify you. Note that this only really applies if you use privacy-friendly no logs providers
  • You are completely free to decide which servers to connect to
  • There is no limit to how many servers you can chain (except the power of your PC and how much of a speed hit you are willing to take).

Disadvantages include:

  • You now need to trust two VPN services, rather than just one
  • Can be pricey, as you need to pay for each VPN service you use (you could use free services, but this would lose many of the privacy advantages that chaining VPN servers brings. Most free services keep logs, and are otherwise not the most trustworthy (or else have data and/or speed limits that would likely be crippling over a multihop connection)
  • It is a pain to setup
  • You will suffer the combined speed hit of connecting to every VPN server that you chain (at least!).

Example setup

Below is an example setup for chaining VPN servers yourself, using a Windows 10 PC running Oracle VM VirtualBox. Please note that if you are serious about security, you should seriously consider using some version of Linux as your primary OS instead of Windows. The process for doing this in OSX or Linux is very similar.

  1. Download some VM software and an Operating System. For this example I have used VirtualBox (available for both Windows and OSX) to create a Virtual Machine, into which I loaded the Linux Mint OS. These are both free and open source.

See here for a full guide on how to setup VirtualBox

For simplicity’s sake, I will assume from here on that VPN service 1 is already installed and connected in your primary OS (I am using AirVPN connected to a Netherlands server in Windows).

chaining vpn 2

One your VM is setup, you can check your IP address by visiting IPLeak.net in your browser. It should show the IP of a server belonging to VPN service 1 (AirVPN in my case). This is because the VM’s internet connection is routed through my regular internet connection (which is routed through an AirVPN server).

  1. Install VPN service 2 inside the Virtual Machine. Most VPN providers have instructions for connecting to their service using Linux. I used IVPN (since I had a subscription for it available). As with most providers, IVPN gives detailed instructions for setting up OpenVPN in Linux using the open source Linux OpenVPN client.

Chaining VPN serversOnce connected to the VPN in the VM, visit IPLeak.net again. Here you can see that I am connected to an AirVPN Netherlands server in Windows, and an IVPN Switzerland server in the Mint VM.

Ta da! When using the Mint VM to access the internet, I am protected chaining 2 VPN servers (and am therefore protected by both VPNs). My connection is now effectively:

PC -> Netherlands (AirVPN) -> Switzerland (IVPN) -> Internet

More than two VPN servers?

In theory, if you have a powerful enough machine, there is nothing to stop you running any number of Virtual Machines inside the other Virtual Machines, allowing you to chain as many VPN servers as you like.

In practice, however, I have been unable to get this to work. You should also be aware that if you do get this to work, each extra “leg” in the chain will seriously impact your internet performance.

Speed tests

Just to provide a rough idea of the performance hit you are likely to encounter when chaining VPN servers, I have run some speed tests o the above double-hop setup. These were performed on a 50Mbps/3Mbps UK broadband connection, using TestMy.net’s UK test server.

As I am based in the UK, I have chosen to use Netherlands and Swiss, as I believe this reflects a typical real-world use-case. Both countries are good for privacy, but are close enough to hopefully not down my connection speeds too much.

Chaining speed results download

Chaining speed results upload

As we can see, chaining two VPNs results in a major speed loss (especially for download speed). That said, on my 50Mbps connection, a chained connection is quite useable at around 10Mbps. As something of a side-note, both AirVPN and IVPN performed notably well on their own in these tests.

Conclusion

I see limited value in chaining VPN servers belonging to the same VPN provider, but chaining servers belonging to two (or more) providers does have meaningful security benefits. The main downside of this is that in addition to twice the protection, you also at least suffer twice the performance hit (probably much more). It also means that you must trust two providers, instead of just one.

The elephant in the room here is the Tor Network. If you require very high levels of security and/or anonymity, then you should use Tor instead (and the speed hit of doing this is comparable with chaining 2 VPN servers). It might also be worth considering using Tor and VPN together, which (depending on how you configure the setup) can usefully combine the advantages of both privacy technologies.

Update June 2016: I have discovered a Bash script called VPNChains. This allows experienced Linux users to chain VPNs without the need for a Virtual Machine. I have not yet tested it myself, but the script reportedly works well.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

More

6 responses to “Chaining VPN servers (or “Double VPN”)

  1. Hi, how do you set two VPNs up, i have IPA & have just got 4 weeks with Mullvad. When i log into IPA & the green man lights up, i then log onto Mullvad and IPA turn off. What am i doing wrong? can someone let me know the set-up. Thanks

    1. Hi Lee,

      To run two VPNs simultaneously on the same machine, one of them needs to run inside a Virtual Machine (VM). If you then access web content from inside the VM, you will be protected by both VPNs. Please read through the Example Setup described in this article for step-by-step guide.

  2. Hello Douglas, I decided to give your neat idea a try. I have everything up and running just like your setup, host is windoze 10, guest is Linux Mint, but I can’t get the vpn chaining to work. Both can connect to the internet independently BUT not when chained! My questions are; which network adapter on windows did you ‘enable internet sharing? what are your Network settings in VBox guest (what is it ‘Attached to:?’, the ‘Adapter Type:?) and which IPConfig numbers from Win 10 did you copy over to the network IP settings in the Linux guest? thanks so much for your help.

    1. Hi Jeremy,

      Hmm. This setup should not require any messing around with your internet settings in either Windows or your VM. In Windows the VPN is shared over my regular Ethernet/WiFi adapter. In Mint Network Connection is over Ethernet -> Wired Connection 1. In VirtualBox Network is Attached to: NAT i.e. the default settings.

  3. Interesting article. Thanks. How about putting VPN1 on the router? VMs have advantages, but also add lots of complexity, especially across OSs, for those who don’t already use VMs and multiple OSs. Also, what about using a browser extension in addition?

    Which features are most important for the inner versus outer VPN? You mention using servers in different countries, but wouldn’t that apply equally to the vendor hq jurisdiction?

    Finally, VPNs only address a small part of the broad privacy/anonymity spectrum. Would the effort be better spent on blocking trackers, browser fingerprinting, etc. than chaining VPNs? By analogy, is this adding a locked metal cover to a double locked metal door while ignoring the adjacent large windows with gauzy curtains? I realize this is somewhat(!) beyond the scope and depends upon the use case but it does deserve mention as a general caveat.

    1. Hi Bill,

      – Good points (and I probably need to update this article to address them). Using a VPN on your router and your desktop should indeed result in VPN chaining. Using a browser extension is slightly different because these are really encrypted proxies rather than true VPNs. But yes, the result will be similar. Do note, though, that browser extensions are almost offered for free, which leaves the question of the devs fund their product open…

      – I say say that features such as DNS leak protection and kill switch are more important on the outer VPN (primary OS) as they will ensure that no traffic exits your computer outside at least one VPN. I can’t really a see problem with also enabling these features in the inner VPN, however.

      – As I think I have make clear in this article, I am dubious about the real benefit of chaining VPN servers (especially in your security/privacy toolbox. Most importantly, it does not prevent various tacking technologies used by websites and ad-servers to uniquely identify and follow you as you surf the web. The best solution for these issues are indeed browser add-ons such as Privacy Badger, HTTPS Everywhere, Self-destucting Cookies, uBlock Origin, and (if you want to go nuclear) No-Script. None of these, however, are very effective at preventing browser (and other forms) of fingerprinting, for which there are currently no amazing solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *