Multihop: Advantages of a cascaded VPN connection

Multihop: Advantages of a cascaded VPN connection

 

A multihop connection allows you to cascade your VPN connection through several VPN servers at different locations. While this does increase the latency (ping response times), it offers two major advantages:

Circumvent nation wide censorship

First, you are able to choose your entry and exit node separately. This is useful if you are located in countries that only allow connections to domestic IP addresses. Once you have established a VPN connection to a server within the country, you can cascade your connection and exit on a server outside the country. This way you can circumvent nation wide imposed censorship (e.g. like done in China) with VPN.

Visualisation of a Perfect Privacy multihop/cascading VPN connenction over 4 hops to Facebook

Protection from sophisticated attacks

The second advantage is protection against certain more sophisticated attacks and this way increasing security and anonymity of the VPN user.

In general, a cascaded connection makes it much harder to do traffic correlation attacks: When using a single VPN server, the ISP of the user (or an eavesdropping attacker) knows which VPN server the user is connecting to. An ISP/eavesdroper can not read the content or determine the websites the user is visiting via a VPN tunnel. But if the eavesdroper has access to the traffic of the datacenter too, it is possible to look at the incoming and outgoing traffic of the VPN server and then try to identify to which user it belongs. Obviously this becomes increasingly difficult with the number of users on a VPN server.

With a cascaded connection this type of attack becomes much more difficult because while the ISP/eavesdroper still knows the VPN entry node of the user, it does not know on which server the traffic exits. He would need to monitor all VPN servers and take a guess at which exit node the user is using. This makes it next to impossible to successfully identify users by traffic correlation.

Also it is theoretically possible that an attacker has physical access to the VPN server in the data center. In that case he can possibly execute a de-anonymization attack on the VPN user. A cascaded connection protects against this attack vector: Since the user’s traffic is encapsulated with an additional layer of encryption for each hop in the cascade, no traffic can be read or correlated with incoming traffic.

The attacker would still see outgoing encrypted traffic to another VPN server but he cannot determine whether this is a middle or exit node. To successfully intercept and decrpyt the traffic, the attacker would need to have physical access to all hops in the cascade simultaneously. This is practically impossible if the hops are in different countries.

By the way: Not every VPN provider that offers cascaded or multi-hop connection is actually providing a fully encrpyted cascade: Some providers just forward your traffic to another VPN server, without an additional layer of encryption. This will not protect against beforementioned attacks because the traffic can still be read on the entry node. If in doubt, you should ask your VPN provider how cascaded connections is implemented.

Tutorial: Enable Multi-Hop VPN