What is a Double VPN and multi-hop?

Woman in a cafe using a laptop
(Image credit: Unsplash / Thought Catalog)

The best VPNs provide an excellent way to protect your online privacy. Unlike proxy servers, virtual private networks can be very easy to set up and get connected within minutes.

Each time you use the software, your VPN ‘client’ device establishes an encrypted VPN tunnel connection to a VPN server. As far as the internet at large is concerned, your IP address and location are that of the server itself, which can even be based in another country.

As your data is encrypted, your ISP can’t have any way of knowing which websites you access or which programs you’re using. Connecting to a VPN server in another country is also a great way to indulge in some “geo-spoofing” - popular for those using streaming VPNs or VPNs for Netflix, allowing you to access location-specific services in other countries.

This is all fine for day-to-day browsing. But what if the stakes are much higher? For instance, in certain countries you can be sent to prison for accessing western media.

This is where a Double VPN, sometimes known as a ’multi-hop’, can help.

What is a Double VPN?  

A Double or multi-hop VPN is one where you add another VPN server to your existing one, linking the connections together. This hugely increases the protection that you gain relative to using a VPN in the traditional way.

In order to understand this properly, let’s just recap how someone might use a standard paid or free VPN. In this example, an American user wants to watch Netflix in the UK. 

Step 1: The US-based user fires up the VPN client device and establishes a secure, encrypted connection to their provider’s VPN server. They then go to the Netflix UK website in their browser.

Step 2: The VPN server receives the connection requests from the American client and establishes its own connection to Netflix’s UK website. 

Step 3: The VPN server encrypts this data and sends it back to the VPN client in the USA, where it’s encrypted so they can stream shows.

When connected to the VPN, the American user’s internet service provider (ISP)  won’t be able to detect which specific website they’re visiting, or the type of web data they’re accessing, such as streaming video, just by analyzing their network traffic.

If however, the user is in a regime where the government actively monitors people’s connections through advanced techniques like DPI (Deep Packet Inspection) and even illegal hacking, this may not be enough to protect them.

If the VPN server is compromised, then any data that would usually be encrypted would be visible to a bad actor. This could happen through hacking. But don’t forget that servers are managed by people - people who can be corrupted or blackmailed into handing over information. Some countries can even subject VPN providers to secret court orders.

Even if the VPN provider is honest and refuses to cooperate, they often don’t host their own servers, renting them instead from third-parties that can be breached or subpoenaed. In 2018, NordVPN was a victim of a breach of this kind at one of its data centers. This only affected one of its many servers but goes to show that for total peace of mind, one might not be enough. 

Even if the server itself isn’t breached, anyone monitoring a connection to a single VPN server can carry out “correlation” or “timing” attacks to try to compare incoming/outgoing connections to encrypted network traffic, undermining anonymity and privacy. 

How to use Double VPN or multi-hops 

Seeing how a regular VPN connection operates and how it’s vulnerable, you’re well placed to understand how implementing a Double VPN can protect you.

A Double VPN setup works like this:

Step 1: Our user fires up the VPN client software, which establishes a connection to the first VPN server. However, this time, all data is encrypted twice. 

Step 2: The encrypted web traffic is sent to the first VPN server. Here the second layer of encryption is removed from the data. It’s still protected by the first round of encryption. The encrypted data is routed to a second VPN server.

Step 3: Once the data arrives at the second VPN server, the first layer of encryption is removed and the data is fully decrypted. At this point the VPN server knows that the user is trying to connect to, for example, Netflix UK, and establishes a connection to it. 

The process can, of course, be reversed to return data along the same route. Using two encrypted VPN tunnels in this way has a number of advantages.

The first is that it makes correlation and timing attacks much harder, as it’s not nearly as easy to time how long it takes to send certain bits of data across two networks compared to one.

Someone with access to a user’s ISP records might be able to detect the connection to the first server. But beyond this, they have no way of knowing whether a user is deploying a multi-hop VPN. The connection request itself is encrypted - if they don’t know about the second server, there’s no way they can target it with hackers or a court order.

This type of privacy also works both ways. As far as the Internet is concerned, the public IP address and location are that of the second server. There’s no way for a website or online service to tell you’re using a Double VPN simply from analyzing the traffic coming to them from the second server. 

Double VPN and Tor 

This type of encryption, passing data through multiple relays, is very similar to how the Tor network operates. Like Tor, relaying all your internet traffic through multiple servers rather than one will slow down your connection. This is why, despite our example, it’s unlikely you would use Double VPN to stream online videos. You’re effectively trading off speed for security and privacy. 

If your VPN provider offers this service, you may also find that you’ve a more limited selection of servers, so can only appear to be in a smaller number of countries. This could be an issue if you’re trying to access a service which regularly blocks VPNs as you may not be able to simply switch to another server.

If you’re thinking of using a Double VPN, use a trusted VPN provider such as ExpressVPN or NordVPN, as they can monitor every server you use.  

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.