Douglas Crawford

Douglas Crawford

May 26, 2016

It is possible to “chain” VPN servers so that your data is routed between two or more VPN servers as it travels between you and the internet. Such chaining can provide some security benefits, but will always result in a major loss of speed.

Your PC/device -> VPN server 1 -> VPN server 2 -> Internet

Chaining VPN servers is possible using either a VPN service that offers it as a feature, or you can do it yourself using a Virtual Machine (VM).

Double-hop VPN services

Some VPN services offer multihop VPN connections, allowing you to route your VPN connection through two or more of their servers. The most prominent of these are NordVPN and IVPN, but some smaller providers (which I am not familiar with) also offer this as a feature.

The advantage of chaining VPN servers in this way is that the VPN provider does all the hard work. It is usually simply a matter of selecting the correct profile in the VPN client, and everything else is taken care of automatically.

NordVPN double-hop

NordVPN only supports “Double VPN” through its Austria -> Netherlands servers. As you can see, data is re-encrypted as it leaves each server

IVPN Multi-hop

IVPN, on the other hand, allows you to double-hop through any of its servers

Aside from the fact that any extra hops will seriously slow down your internet connection (see our IVPN Review for some speed test results), I am very dubious about the value of such a setup. This is because the VPN provider still routes the signal, so:

a) Adversaries will be easily able to trace a user to that VPN service, and

b) The provider still does the routing, so it knows exactly who is connected to what, no matter how many servers your data is routed through.

Of course, if the provider keeps no logs, uses shared IP’s, etc., it may not be able to turn over any information, but this is exactly the same as if a single VPN server was being used!

If the VPN provider is not compromised, then multi-hopping through servers located in countries where an adversary has no leverage might help prevent it tracking a connection back to you. For example, if you are concerned about being traced by the NSA, double-hoping through servers located China and Russia might conceivably make life difficult for the NSA. However:

a) Very few providers actually offer servers located in such locations (and China bans all VPN services)

b) Can you really trust VPN servers located in such counties?

Chaining VPN servers yourself

Another option is to chain VPN servers yourself using Virtual Machines. Virtual Machines effectively allow you run one Operating System (OS) inside another. It is therefore possible to connect to one VPN service using your primarily OS, and then connect to a second one from within the VM.

All connections from within the Virtual Machine will be routed through both VPN servers (with the one your primary OS is connected to being the first).

A 2 server chain using a Virtual Machines would, therefore, work something like this:

PC -> VPN 1 -> Virtual Machine  -> VPN 2 -> Internet

The advantages of this over using a double-hop VPN service are:

  • You are protected by 2 completely different VPN services, making it twice as difficult for an adversary to identify you. Note that this only really applies if you use privacy-friendly no logs providers
  • You are completely free to decide which servers to connect to
  • There is no limit to how many servers you can chain (except the power of your PC and how much of a speed hit you are willing to take).

Disadvantages include:

  • You now need to trust two VPN services, rather than just one
  • Can be pricey, as you need to pay for each VPN service you use (you could use free services, but this would lose many of the privacy advantages that chaining VPN servers brings. Most free services keep logs, and are otherwise not the most trustworthy (or else have data and/or speed limits that would likely be crippling over a multihop connection)
  • It is a pain to setup
  • You will suffer the combined speed hit of connecting to every VPN server that you chain (at least!).

Example setup

Below is an example setup for chaining VPN servers yourself, using a Windows 10 PC running Oracle VM VirtualBox. Please note that if you are serious about security, you should seriously consider using some version of Linux as your primary OS instead of Windows. The process for doing this in OSX or Linux is very similar.

  1. Download some VM software and an Operating System. For this example I have used VirtualBox (available for both Windows and OSX) to create a Virtual Machine, into which I loaded the Linux Mint OS. These are both free and open source.

See here for a full guide on how to setup VirtualBox

For simplicity’s sake, I will assume from here on that VPN service 1 is already installed and connected in your primary OS (I am using AirVPN connected to a Netherlands server in Windows).

chaining vpn 2

One your VM is setup, you can check your IP address by visiting IPLeak.net in your browser. It should show the IP of a server belonging to VPN service 1 (AirVPN in my case). This is because the VM’s internet connection is routed through my regular internet connection (which is routed through an AirVPN server).

  1. Install VPN service 2 inside the Virtual Machine. Most VPN providers have instructions for connecting to their service using Linux. I used IVPN (since I had a subscription for it available). As with most providers, IVPN gives detailed instructions for setting up OpenVPN in Linux using the open source Linux OpenVPN client.

Chaining VPN serversOnce connected to the VPN in the VM, visit IPLeak.net again. Here you can see that I am connected to an AirVPN Netherlands server in Windows, and an IVPN Switzerland server in the Mint VM.

Ta da! When using the Mint VM to access the internet, I am protected chaining 2 VPN servers (and am therefore protected by both VPNs). My connection is now effectively:

PC -> Netherlands (AirVPN) -> Switzerland (IVPN) -> Internet

More than two VPN servers?

In theory, if you have a powerful enough machine, there is nothing to stop you running any number of Virtual Machines inside the other Virtual Machines, allowing you to chain as many VPN servers as you like.

In practice, however, I have been unable to get this to work. You should also be aware that if you do get this to work, each extra “leg” in the chain will seriously impact your internet performance.

Speed tests

Just to provide a rough idea of the performance hit you are likely to encounter when chaining VPN servers, I have run some speed tests o the above double-hop setup. These were performed on a 50Mbps/3Mbps UK broadband connection, using TestMy.net’s UK test server.

As I am based in the UK, I have chosen to use Netherlands and Swiss, as I believe this reflects a typical real-world use-case. Both countries are good for privacy, but are close enough to hopefully not down my connection speeds too much.

Chaining speed results download

Chaining speed results upload

As we can see, chaining two VPNs results in a major speed loss (especially for download speed). That said, on my 50Mbps connection, a chained connection is quite useable at around 10Mbps. As something of a side-note, both AirVPN and IVPN performed notably well on their own in these tests.

Conclusion

I see limited value in chaining VPN servers belonging to the same VPN provider, but chaining servers belonging to two (or more) providers does have meaningful security benefits. The main downside of this is that in addition to twice the protection, you also at least suffer twice the performance hit (probably much more). It also means that you must trust two providers, instead of just one.

The elephant in the room here is the Tor Network. If you require very high levels of security and/or anonymity, then you should use Tor instead (and the speed hit of doing this is comparable with chaining 2 VPN servers). It might also be worth considering using Tor and VPN together, which (depending on how you configure the setup) can usefully combine the advantages of both privacy technologies.

Update June 2016: I have discovered a Bash script called VPNChains. This allows experienced Linux users to chain VPNs without the need for a Virtual Machine. I have not yet tested it myself, but the script reportedly works well.

Douglas Crawford
March 8th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

13 responses to “Chaining VPN servers (or “Double VPN”)

  1. Dear Mr. Douglas Crawford

    Windows 7 Pro and Windows 7 Ultimate and Windows 7 Enterprise (all 64 bit), allready contains virtualization software (see manual for Win 7 family). Two modules must be downloaded and installed, then a virtual machine (32 or 64 bit) can be defined. I have used this software to still be able to run old fashioned Windows XP Home and Pro (32 bit). However i am allmost sure, it could also be used to implement nested VPNs or chained VPNs. I look forward to a response from You Sir.
    Sincerely Yours Peter Jepsen.
    N.B.: I my self is using CyberGhost ver. 6.5.2.31 or CyberGhost ver. 6.5.1.3377 .

    1. Hi Peter,

      Hmm. Interesting. I assume you are referring to Windows Virtual PC from Microsoft? In theory there is no reason you can’t infinitely nest VMs until your PC grinds to a halt from lack of resources, but it doesn’t seem to work using VirtualBox. I’m afraid that I don’t really have the time at the moment to mess around with setup you suggest, but if you get around to doing it yourself I would love to hear the result.

Leave a Reply

Your email address will not be published. Required fields are marked *