How to chain VPN servers - gHacks Tech News

How to chain VPN servers

VPN Chaining is a technique in which multiple virtual private network (VPN) servers are chained to improve online privacy while on the Internet.

Basically, what it means is that you are not connecting to a single VPN but to multiple ones in a layered system that looks like Your PC > 1st VPN > 2nd VPN > Internet.

Before we take a look at the how, we should discuss why you would want to do that. One argument is that you cannot trust any of the VPN providers out there.

While most claim these days that they don't log, there is virtually no way to prove that this is indeed the case.

And even if they don't log user activity, they may still be forced to cooperate and log activity of certain users connecting to the system, for instance when forced to do so by a court of law or when coerced.

VPN Chaining improves privacy by connecting to multiple VPN servers operated by different companies who -- preferably -- operate in different jurisdictions.

The advantage is that it becomes increasingly difficult to track users when they chain VPN servers.

There are disadvantages however, for instance that the setup is complicated, that maintaining multiple VPN accounts is more expensive than just one, and that there is still a possibility of being tracked.

Advantages Disadvantages
Improved privacy complicated setup
more expensive (unless free services are used)
slower speeds, higher latency
Possibility of being tracked is still there

How to chain VPN servers

vpn chaining

Unless you operate all VPN servers that you want to chain, you cannot simply connect to the first VPN in the chain and be done with it.

Connecting to multiple VPNs simultaneously on the same device does not work as well which that leaves virtual machines as the best solution to get the ball rolling.

Basically, you connect to one VPN on the device you are using, and to others that you want as part of the chain in virtual machines.

A simple chain would look like this: PC > 1st VPN > Virtual Machine > 2nd VPN > Internet

You would have to perform all activity using the Virtual Machine to take advantage of the chaining.

How it works:

  1. Download VirtualBox from the official website and install the virtualization software.
  2. Download and install an operating system, Linux Mint for instance, in VirtualBox.
  3. Get accounts at two or more VPN services. You get big discounts at Ghacks Deals currently for select VPN providers.
  4. Connect to the first VPN on the device you are using.
  5. Connect to the second VPN in the Virtual Machine. If you have followed the suggestion above, connect to the VPN using Linux Mint.

You can verify that the VPNs are chained by checking IP addresses. You will notice that the host device returns a different public IP than the virtual device.

Crazy chaining: you can add as many VPN services to the chain as you like, but you need to install a virtual machine inside the virtual machine for each of them.

Installation of VirtualBox and the host operating system should not pose problems to most users. The installation of the VPN service on the other hand may, but most VPN providers offer instructions on their web pages that detail the installation process on various operating systems including Linux.

Closing Words

VPN Chaining improves online privacy and while it does not offer 100% protection, it offers far better protection than a single VPN (which in turn offers better protection than connecting directly to the Internet).

Now You: Do you use a VPN?

Summary
How to chain VPN servers
Article Name
How to chain VPN servers
Description
Find out how to chain VPN servers using two or more VPN providers and virtual machines on devices you operate to improve online privacy.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Ross Presser said on May 19, 2016 at 3:09 pm
      Reply

      It seems like there should be some clever method of setting up network routing so that the VMs are not necessary.

      1. Gonzo said on May 19, 2016 at 3:59 pm
        Reply

        Not in Windows.
        In Linux you can use routing tables with multiple tap/tun interfaces. You can also bind specific applications to specific VPNs all from the same install.

    2. Pants said on May 19, 2016 at 3:41 pm
      Reply

      Just throwing some OpSec into the mix. You should research your VPNs, set them up anonymously (disposable/temp emails – a different one for each VPN, bitcoin payment (assuming your bitcoin account is anonymous as well) and use a different payment provider/method for each VPN (debit card bought with cash from the bank, maybe bribe some hobo to go in and get it for you!! heh), don’t use your own IP when setting these up etc). And then the other usual stuff, like not logging into HTTP sites with any accounts that can identify you (in fact don’t cross contaminate any online IDs/personas – i.e don’t use VPN chaining via VM1 to get your gmail or facebook etc, don’t use the same email accounts in each VM, etc – don’t cross contaminate). There’s way more (books worth), but it really depends on your objective. If it’s to defeat state actors, then you need to do more. If it’s to stop your ISP monetizing you or to thwart copyfraud trolling, then not so much.

      You can also use TOR/TAILS (or Linux Mint etc): eg TOR—TAILS(VM)+VPN2—PC—ROUTER+VPN1-TOR Exit Node—
      Note: I’m not entirely sure if tails and vpn and tor play nicely together.

      I’m not an expert on this, but it from all the OpSec failures (think DPR, Lulzsec etc) it all came down to a single failure, and all *they* have to do is join two dots. For those wondering: The Lulzsec member first identified (sabu?) who then turned evidence/helped was detected when his VPN fell over for a few seconds and he leaked his real IP (and he kept IRC logs). DPR was targeted due to his real online ID and DPR being pretty much exclusive in their posts about Austrian economic theories, and then he was monitored in real time jumping in and out of TOR while DPR’s activities on Silk Road matched. Another case was a bomb hoax at a university, and they traced it to the only campus account that had used TOR. Another example, of cross contamination, is pirate release groups where the members reuse handles they have attached to their real IDs. I myself have tracked people this way. In fact, one way I joined someone’s multiple online accounts together, was to reverse image search their unique avatar – it was enough for me to learn some new handles, multiple accounts and then their real ID. Like I said, all it takes is to join two dots. OpSec is hard, but like I said, I’m not an expert.

    3. RemmingtonSteel said on May 19, 2016 at 3:50 pm
      Reply

      You can connect to TOR then connect to your chosen VPN, then your VPN provider won’t know who you are and also your connection to TOR is made safer by the vpn. You can pay with bitcoin and use a vpn only email for signup also.

      1. Pants said on May 19, 2016 at 5:06 pm
        Reply

        I’m pretty sure it’s the other way around. Info below pasted from the internet ( https://www.wilderssecurity.com/threads/what-happens-if-you-use-a-vpn-in-conjunction-with-tor-plus-a-few-basic-queries.280983/ )

        [quote]
        Me —> VPN —> Entry node —> Relay Node —> Exit Node —-> Internet

        My VPN provider will see me using Tor, but it won’t be able to read my requests through the Tor network or the responses I receive. My ISP sees I have a connection to my VPN’s IP address but that’s it.
        [/quote]

        1. Remmington said on May 20, 2016 at 1:34 am
          Reply

          The article is about VPN trust. So connect to tor then to the vpn and the vpn provider won’t know your real IP is my point.The way you state is the best way to use tor/vpn but not if you are paranoid of the vpn provider. A useful link for what i mean: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=54&limit=6&limitstart=6&Itemid=142#1745

        2. remmington said on May 20, 2016 at 1:49 am
          Reply

          Also point 2 in rhis link probably explains it better than me : https://airvpn.org/index.php?option=com_kunena&Itemid=55&func=view&catid=3&id=892

        3. Pants said on May 20, 2016 at 8:31 am
          Reply

          @Remmington

          That’s interesting, thanks. “Please note that it is not TOR over VPN, it’s VPN over TOR.” I’m still not 100% sure how the hell that would work. How the hell can you tunnel to an unknown exit node and the exit node uses your VPN? I’m totally confused how this is even possible. But as I read it, and a few google searches later, it is totally dependent on the VPN provider (see https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/combining-tor-with-a-vpn/ ). I get it now. Thanks

          [quote]
          The order in which you start Tor and a VPN does not really matter. You will always wind up using Tor over VPN unless you are using a VPN that supports connection by the proper SOCKS proxy. Tor over VPN does conceal your Tor usage from your ISP however.

          If you want to use a VPN over Tor to hide your IP from the VPN you need to use a VPN like AirVPN which provides the option from user control panel to connect to the VPN by SOCKS proxy.
          [/quote]

    4. Lorissa said on May 19, 2016 at 3:55 pm
      Reply

      Wouldn’t speed be a major issue here?

    5. Tom Hawack said on May 19, 2016 at 4:00 pm
      Reply

      For now I have no interest for a VPN because as I see it on one hand you have no true certitude of privacy (original IP doesn’t vanish, it is always in a database) while on another hand speed is always the price to pay.

      As I see it, if VPN chaining is interesting by the induced ‘onion’ scheme (à la TOR) it must have a consequent effect on speed. Moreover, as well as good wines are served first followed by the lesser, the first VPN in the chain must be the one we trust the most. “The one we trust the most”… do we ever trust a VPN totally? I cannot imagine paying 50-100$/year for “quality VPN” to discover later on my IP was logged and maybe shared…

      Finally, if I struggle for privacy I dislike secrecy, this is here a leitmotiv. I do not dislike to be recognized but I do hate to be followed. I dislike recognizing a user whom presents himself under a different identity on chats and forums (I even know French forums where it’s sort of a game). Funny and relevant of a user’s profiling skills but globally irritating as so childish, not to mention the lack of respect for guests.

      I don’t really care of data built on my IP to be frank, as long as it is not associated with my civil identity and physical home address, these two being reserved exclusively for administration and commercial transactions (still with extreme caution). I receive no spam as I use disposable email addresses and I am not bothered with tracking ads as I avoid both trackers and ads with good applications, at least which have proven to be efficient up to now. After that I won’t break my head to surf anonymously and therefor will avoid as well remarks such as “How can you be in New York when your system shows the time of Paris?” : if you want to play it excellently you have to consider far more than a moving IP. Too much work for me, I’m no James :)

      1. Pants said on May 19, 2016 at 5:23 pm
        Reply

        “I don’t really care of data built on my IP to be frank, as long as it is not associated with my civil identity and physical home address”

        If you ever have ever let google on your wifi (eg from your smart phone, and it’s pretty hard not to!), then they already pretty much know your address. Your phone (android) will detect/collect wifi names of all your neighbors as well (and when you move around town). Google has extensive wifi name databases, and they use them. It’s even worse of course if you allow GPS, and of course if you tie your real ID to any google services.

        I use ncr (no country) google searches. A few months ago a friend visited and jumped on my wifi. I didn’t think much of it at the time, and the 24 hour nudie beer session with loud music and shaved goats didn’t help, but now all my google searches know my city, which is pretty obscure (before they could only guess my country and pinpoint me to one of three main centers, 100’s of miles away) – at the end of each google page is a “city” refined search link – that was never there before. And the ncr no longer works, I am forced to use my regional/country’s google search. Pisses me off. I have no google accounts and have never allowed any google analytics or tracking of any kind, or cookies, or click tracking and so on. As I said before, all it takes is one mistake and they can join two dots and its game over.

        1. Tom Hawack said on May 19, 2016 at 6:08 pm
          Reply

          With the PC (free of a wifi card) I use Ethernet and for the phone I use only an old mobile, no smartphone, which surprises my friends but which is my choice. At home I love the tool, the computer and the networks, but once outdoors I dislike forgetting reality, that of people, sounds, city lights, nature, colors and sounds, not those of a tiny screen with horrible sounds but those of my environment. Mobile phone here only for phoning, no Web, no cam, no micro, no data (except phone numbers). So I guess my relationship to the networks is more quiet.

          As for Google, when I use its search features it is with encrypted dot. My home town always appeared on its pages because of my IP and I really don’t mind.

          But I understand your point, Pants, and should I shift to wifi that i’d certainly reconsider the relative easiness of my approach which remains efficient but minimalist. For now sticking to a sticky wifi device is not at all scheduled. Not interested.

        2. micro said on May 20, 2016 at 6:01 am
          Reply

          in my country IPs are dynamic except for corporate ISP, just restart the modem to get new IP. most ISPs even don’t give public IP. so no worry about Google tracking my IP, the IP will keep changing :)

      2. Clairvaux said on January 2, 2018 at 9:41 pm
        Reply

        “Good wines are served first followed by the lesser.”

        Ha ! We could start an epic flame war over that. I personally believe it to be just the opposite. Unless you plan to get so drunk with mouton-rothschild in the first place that you could not make the difference between château Yquem and Listerine afterwards, but then you wouldn’t deserve a sip of mouton-rothschild (or anything worth drinking) anyway.

        Yeah, Ghacks is a place where not only Firefox and Linux get discussed to death, but also fascism, communism and the proper way to absorb great wines. Get used to it.

    6. Aaron Toponce said on May 19, 2016 at 5:49 pm
      Reply

      Or you could just use Tor.

    7. Bummer said on May 19, 2016 at 7:08 pm
      Reply

      Vpn is great for an added layer of privacy at your home. For being anon,don’t use your computer, registered with the manufacture in your home. Single point of failure in Pants example, the lazy human. Don’t do crap at home kids.

    8. alfie69 said on May 20, 2016 at 6:37 pm
      Reply

      check out lahana cabbage router for a way to use amazon ec2 free tier and vpn access (http://lahana.dreamcats.org/) looks interesting but yet to try myself

    9. Anonymous said on May 22, 2016 at 7:21 pm
      Reply

      By using a Chromebook and a router with a VPN client I am using 3 VPNs simultaneously for all internet traffic. The router (Asus DSL-AC68U) provide the first VPN and this is the only traffic my ISP sees. The Chromebook has a built-in VPN client too and by using an encrypting proxy Chrome extension (Zenmate) all traffic is encrypted since the Chromebook’s only connection to the Internet is via the Chrome browser.

      Without any VPN running my Internet connection is a stable 37 Meg. With all 3 VPNs running speed is somewhat variable (2-35 Meg) When speed is slow I may disable the VPN which is slowing down the connection or by disconnecting and reconnecting it often returns to an acceptable speed.

      So, this 3 hop VPN is much faster than Tor (also 3 hop) but may not offer the same level of privacy.

      1. Pants said on May 22, 2016 at 9:47 pm
        Reply

        That’s interesting. SoftwareVPN –> OS-VPN–> NetworkVPN. Are you sure that they’re really chained? I only ask because I don’t know. I assume you can easily test (some of) it by checking your ip from 1. chrome browser (zenmate), 2. from chrome browser with zenmate disabled and 3. from another device on your network. How can you test that Zenmate doesn’t bypass your OS VPN? The router I’m not worried about – btw, have you DD-WRT’ed it?

    10. drogbaster said on June 1, 2016 at 6:18 pm
      Reply

      Hello Martin, i am your italian fan!
      Great guide, it runs perfectly.

      If i can leave a link, i made this guide in Italian Language one year ago, happy to know that it’s the same.
      http://www.drogbaster.it/fornitori-servizi-vpn.htm

    11. Kiki said on August 18, 2016 at 10:00 pm
      Reply

      Buy 2 or as many 10$ routers you want . Configure each for a vpn service. Chain them. End of story….

    Leave a Reply