What is Double VPN, its pros and cons, and who should use it?
A double VPN feature consists of a VPN connection routed through two consecutive VPN servers instead of one. It’s also known as “multi-hop.” The feature adds an extra encryption layer to the user’s traffic, thus increasing security, privacy, and anonymity. Unfortunately, most VPN networks do not support multi-hop connections. Why don’t they? Which are the ones that do? In this article, we will answer those questions and many more.
What is a multi-hop or double VPN?
As the name suggests, the double VPN feature enables VPN users to route their traffic through two VPN servers instead of one. In this way, your traffic encryption happens twice (once on each server), thus providing an extra layer and security for your online activities. However, one significant difference from the regular connections is that, even in the VPNs that support such a feature, not every server within the network is suitable, so your choices are limited to those nodes that can be paired together.
Multi-hop connections are not the industry standard by any means. In fact, most VPNs do not support it. The reason behind that is that the demand for this feature tends to be low because the additional encryption and routing times cost something in connection speeds. In other words: double VPN connections are significantly slower than regular single ones. Also, double VPN connections demand more resources from the provider, and that also plays a role.
Double VPNs come at a cost to the network and the user; that much is clear. Nevertheless, the multi-hop feature is a valuable service for a particular user who needs to ensure that their privacy and security are guaranteed at all costs.
For example, suppose you are a political activist, especially of the dissident kind working in a repressive country; you could also be a journalist writing on sensitive topics that could awaken a giant’s anger; or that you are a whistleblower passing on sensitive information to third parties. Those three cases are the most obvious scenarios in which double VPNs are critical in keeping a user safe from potential enemies, but they’re not the only ones.
So are multi-hop connections an option for you? Well, answering that question needs you first to know the pros and cons. Let’s see them.
Multi-hop VPN connections: The advantages and disadvantages
Most VPNs offer added features that enhance a user’s security, such as kill switches, leak protection, malware blockers. So double VPN is not a compulsory feature for a network to be a regular (even a premium) VPN service. A good VPN performs two services for you at all times: traffic encryption and IP masking; any additional advantage is welcome but not vital. Thus, double VPN connections are not in the “must-have” list of any provider. We’ll see why in this section, but let’s start with the positive side of the coin.
Double VPNs: The advantages
Multi-hop connections enhance security, privacy, and anonymity. And how they achieve that goal are advantages in themselves.
- Double encryption. Each server in a multi-hop connection encrypts the traffic in full. A single AES-128 encryption stage is impossible to crack with the current technology. Two stages of AES-256 encryption make the traffic utterly impossible to decipher.
- Extra IP. The server hides your IP address from the word in a single VPN connection and assigns you a new one. In a double VPN, this happens twice, so your actual IP address is twice removed from the world.
- Keeping your ISP in the dark. If your ISP is interested in your online activities (which it shouldn’t), he won’t be able to know anything about what you’re doing. The ISP will know that all of your traffic is directed to a single node on the Internet (your VPN server). But it won’t understand what your traffic is about, what sites you are visiting, or anything else.
- Hidden whereabouts. Any mildly competent hacker can figure out your location from your IP address. In a double VPN connection, any third party will think you are located at the second server’s location, which will typically be very far away from you.
- Protocol combinations. If double encryption still seems not enough for you, you can set up your double connection so that one server uses TCP within the OpenVPN protocol and the other uses UDP.
- Bypass censorship. Even the most liberal countries in the world impose some restrictions on their domestic internet access, not to mention China, North Korea, or other jurisdictions where the lack of online freedom is notorious and world-famous. Single VPN connections allow you to circumvent those restrictions. A double VPN ensures that it can’t be traced back to you.
Double VPNs are an extreme security measure. As such, they’re not meant to be the default mode of any user. That’s why so many industry players do not offer it –and have no intention to change their minds. Also, the decision-makers in the VPN world consider that single VPN connections are good enough for any task in terms of security. Furthermore, they are versatile enough to serve activities as torrenting or unblocking streaming websites. Thus, in their minds, a double VPN is overkill, an enhancement on a service that already meets its purpose perfectly.
While we also consider that those multi-hop connections are for paranoids for the most part (though we have mentioned three cases in which the paranoia is justified), if you decide that doubling down on security is your cup of tea, go right ahead. Just keep in mind that there’s a price to pay.
- Loss of speed. The most evident cost you’ll have to pay for a double VPN comes in the form of lower speeds when connected to a VPN. Even a single connection reduces connection speeds because the encryption and the traffic routing take some time and computing power. If you add another VPN stage on top, then things slow down so much more. In addition, if you want to transfer large files, use your BitTorrent client, or see streaming videos, the chances are that the multi-hop will not be optimal for your user experience.
- No Tor over VPN. If you have ever used Tor to protect your security, you already know that navigation speeds in the Tor network are low. You can double-down on security by launching your Tor browser over a single VPN connection. Adding a further VPN layer will make snail races look exciting.
- Resource intensive. Double VPN connections mean more work for your device, not just for your VPN provider. Your battery will drain quickly, the other tasks on your device will slow down. If you can be plugged in, that’s not a problem, but if you’re on the go (which is the point in mobile devices), you won’t be able to be online for long.
- Server choice. As far as we’ve seen in most VPN networks, the server list for multi-hop users is much smaller than the regular list. Also, you can’t choose each server separately. Instead, you will have to choose from a list in which servers are already paired.
So the primary drawbacks of double VPNs come as inefficient speeds and battery use. If you happen to have an astonishingly fast ISP, maybe your dual connection will be manageable. On the lack of variety of server choices, most of the available pairs are located in the countries where the servers are most useful for almost every task (the US, UK, Netherlands, etc.), so lack of choice does not translate into a lack of flexibility.
Double VPN: How does it work, anyway?
If the idea on any VPN is to encrypt your traffic and hide your IP address, what you want for your multi-hop service is precisely to do that twice. In principle, you could do this three, four, or more times if you wish.
However, doubling a VPN connection is already so redundant, and it decreases functionality so much that going triple or quadruple is just pointless. Furthermore, having a connection that’s secured against God’s angels’ best computer will not be helpful if the speeds are so slow that you can’t even check your email.
Let’s begin to improve our understanding of multi-hop connections by first knowing what happens in a single scenario. It goes like this:
- Your local VPN app (or chrome extension, or router if it’s VPN-enabled) encrypts your outgoing traffic and sends it to your VPN server.
- The server decrypts your traffic.
- The server then sends your unencrypted traffic to the designated target. This target sees your IP address as the servers’.
- The same process takes place backward as you get your answer from the target.
So far, so good? Ok, so here’s how it goes when you double down on your VPN connections:
- Your local VPN app (or chrome extension, or router if it’s VPN-enabled) encrypts your outgoing traffic and sends it to your VPN first server.
- The first Server encrypts your traffic again (instead of decrypting it) and hides your IP.
- The first server sends this traffic to the second VPN server.
- The second server sends your traffic to the wanted target after decryption.
- Then the process repeats itself in the opposite direction bringing you the target’s answer.
So, if everything is done correctly, your traffic is encrypted twice, and your target never sees your IP address or the first server’s. Instead, it will think that all the traffic originates in the second server.
But beware of some VPN providers claiming to give you multi-hop connections that do not encrypt your traffic twice. Instead, those services will decrypt your data twice. In this scenario, your privacy is not enhanced but emperiled because a successful attack against only one of the servers is enough to intercept all your traffic. But your IP address will remain hidden after the first VPN server if that’s any consolation to you.
Are multi-hope connections safer than regular single VPN connections?
Yes, double VPN connections are always safer than regular ones. This remains true even if your VPN does not encrypt your data twice. Even in that scenario, your IP is masked twice. Moreover, even if it’s not stacked, the encryption process makes a brute-force attack utterly useless.
Double split is yet another reason for which double VPN connections are much safer. By “double split,” we mean this: the VPN server knows both your IP address and destination in a single connection. However, in the double connection In double connection, neither server knows everything. One knows your IP address, but not your destination. The other one knows the destination but not your IP address. So even a successful attack against either server can’t get all the information necessary to locate you or figure out your actions.
However, in the final analysis, your double VPN connection is only as safe as your VPN. For instance, a no-logs policy is more critical to protect your privacy than a double connection if a government forces your provider to give up its logs. If your provider doesn’t stick to the no-logs practice, then there’s no reason at all to use a double connection anyway.
And this is precisely why one of the most important things to do regarding your digital security is to choose the correct VPN vendor — in this regard, policies are as important as technology. So it would be best if you always looked for a VPN service that’s been audited independently and whose policy has been held up in court. The first requisite narrows down the provider choice because from all the VPN protocols open in the industry, only OpenVPN has been audited extensively.
Another thing to look for in a VPN provider is RAM-only servers. These machines are inherently incapable of logging traffic because all the data they hold is volatile, and it evaporates into oblivion as soon as the active session goes offline.
Other factors to keep in mind include safety against IP leaks, a good kill switch, and the parent company to be in a privacy-friendly jurisdiction — this is a rare case in which banana-republic-based corporations are preferable to those based in the most advanced countries of the world.
When do you need a multi-hop VPN?
Your grandparents probably never looked back at their lives, wondering why they didn’t use a double VPN with regret. Maybe you won’t either. But let’s not forget that their world was different and that digital security is paramount today.
If you come to a point in which you need to regret it, it’s already too late, and the consequences can be exceedingly grievous. So here are a few scenarios in which using a double VPN is a good idea:
- Public WiFi Hotspots. Do you just love to go to your nearest public WiFi hotspot and do your day’s work while you enjoy your favorite meal or hot beverage? The hackers love it too. Unfortunately, public WiFi hotspots are notoriously unsafe. Here is a place in which you are broadcasting all your information to the world at large. It’s not that it’s not encrypted, but that the encryption is trivial to crack, so hackers can just collect your traffic and then save it for later analysis. If you’re not on a VPN, they will be able to track all your online steps, and if you logged into any critical account through the WiFi hotspot, they’d learn your passwords and usernames. In everyday situations, few are as dangerous for your safety as public WiFi spots. Fortunately, a VPN connection will keep you safe even against the most skilled hackers. Is a double VPN twice as better in this situation? No. It’s exponentially better.
- Steering clear of surveillance. Governments keep an eye on their citizens. Yes, it happens everywhere to some degree. So why allow your government (or a foreign one) to find out everything you do online? Double VPNs will thwart any effort by a third party to surveil you and know if you’re visiting blocked websites, downloading illegal content, or going against the status quo in any way.
- Activism or journalism. If you are writing about sensitive topics, or if you’re taking economic or political action against the powers that be, you can rest assured that there are people in the world that would like to see you fail. Why give them that pleasure? Suppose you just protect yourself, your collaborators, your family, or your sources with a double VPN. In that case, you will have extra security and access to web resources unavailable to regular users in your country.
Double VPN and VPN over VPN — What is the difference?
Double VPN connections and VPN over VPN connections are very alike for the most part. In both cases, you are using two VPN servers instead of one. The difference is this: double VPNs use two servers maintained by the same provider. VPN over VPN uses two servers, each from a different provider.
So the difference seems negligible, but that slight difference can make a huge difference. For example, suppose that your VPN logs your data, and a law enforcement agency raids its servers and grab all the stored user data. If you use two servers in this network, all of your data (IP address included) is there for the law to see.
A VPN over VPN is different because none of the two servers has enough data about you to complete the whole picture. One server will know your IP address, the other one your destination, but none will know both. So the VPN over VPN option ensures that no external party can get any incriminating information on you.
Of course, a VPN over VPN connection means that you have to pay for two VPN services simultaneously to be more expensive. But if you value your security enough, then the additional cost is worth it because it gives you the ability to keep your eggs in different baskets — almost literally. In this regard, it would always be best to choose VPN vendors from different countries.
However, technical complications may arise when trying to set up a VPN over a VPN connection. Most providers do not design their software with another VPN in mind, so launching different VPN clients simultaneously can be tricky. More on that after the next section.
Best services with double VPN today
VPNs used to be a tool for the nerdiest among us. However, as the public interest for online privacy and security has exploded over the last few years, many more users are interested in getting a VPN service. Thus the market is overcrowded now, and picking the VPN that is best suited for your needs is not an easy task. It takes time, attention, and a bit of expertise. We want to save you the hard work, which is why in this section, we will tell you about three VPN services that we know to be excellent and that have a double VPN feature for the clients who want it.
NordVPN is our favorite VPN vendor for any task at all. Period. Its service is fantastic, versatile, cost-effective. It does everything a great VPN should do for you and much more. Double VPN is available in the vendor’s macOS, (the OpenVPN version), Windows, and Android apps. Enabling the feature requires only a click.
An additional perk in NordVPN is the native support for Tor over VPN, one of the security methods we’ve mentioned earlier. This is great for users who want to use the Tor network but are not too expert.
ProtonVPN includes the “Secure Core” feature that allows you to establish multiple VPN connections.
When you activate the option, you’ll get connected to a server located in a privacy-friendly jurisdiction. Then your traffic goes to another country, one more problematic regarding internet regulations, surveillance, and restrictions.
Secure Core is available in ProtonVPN’s Android and Windows apps. You can also set it up by hand if you’re on Linux, iOS, Android, or macOS.
Windscribe offers a feature called “double hop,” which is nothing but the double VPN feature.
Only desktop users can use the option but without specialized servers. Instead, Windscribe suggests that users establish VPN connections simultaneously by using its browser extension with the client software.
The limitation with that arrangement lies in that the double feature protects only the browser’s traffic. The rest either goes through regular traffic or a single VPN connection.
Creating your own double VPN setup
There is a very slight chance that all you will need to do to have a VPN over VPN connection working correctly will be just to launch the first one (it will know your IP address), then the second one (it will know your traffic’s target). While this is possible, it’s not very likely. More often, you will have to tinker around a bit to get things going.
If, after launching both your VPNs, nothing works, it could be because there’s a conflict between both security protocols. You can get around this problem by making sure that each service uses a different protocol. For instance, if you have OpenVPN running on one server, pick IKEv2 for the other one.
If you already configured each VPN to use a different tunneling protocol and your connection remains useless, you can install each service on a different device. This will work fine if the issue arises from the virtual network cards of each VPN.
So you don’t have many devices to play with, we hear you say? That’s not a problem. You can still try two different strategies.
Many good VPN services can be installed directly into your home router. This guarantees that the VPN will protect all the traffic in and out of your home or office through the said router. Once that bit is ready, you launch the other VPN on your device, and everything should be peachy.
The other option is to set up a virtual machine. So in this scenario, you launch one VPN in your regular environment and the other one inside the virtual operating system. In this case, everything should go smoothly too.
Last but not least, there is a last option, but it’s limited in scope. Many VPNs make their network available through a browser extension. So you could set up a VPN for regular use, then launch the extension within your browser. The problem is that only your web traffic will be protected; the rest will go through a single VPN connection.
Maximizing your protection with additional VPN features
We already explained why a double VPN connection itself guarantees nothing. If other variables do not line up, you are still exposed (albeit in a fancier manner). The most critical additional features are that your provider must not keep any logs or have an affiliation with governmental agencies. Also, the VPN network itself must be secure.
Then, there are other desirable VPN features that you should require. A good kill switch is one. The kill switch shuts down all your traffic as soon as your connection to the VPN server is lost, thus preventing any IP leakages.
There’s no doubt about double VPNs: they’re a powerful feature that will improve your security and privacy. However, it’s a very resource-intensive option which is why it’s not the most popular way to use VPNs. Still, multi-hop will only make you safer online.
If the country where you live online, freedom is not exactly a social core value if you’re a journalist who needs to be careful about your work if you’re a political activist challenging the economically or politically powerful. You need to keep your work activities and make progress while staying anonymous, then multi-hop VPNs are the way to go. Even if you’re just a regular person with no sensitive information to hide from the government or the powerful, you should still have a VPN available to you when you use public WiFi hotspots.
The bad news is that very few VPN vendors in the industry provide double VPN connections. The good news is that those who do are usually the best services in the market, which also means that they probably don’t keep logs (a crucial thing) and take their clients’ privacy seriously.
However, if for any reason, those providers with multi-hop features turn out to be out of your reach, or if you just don’t like them, then you can always go for the VPN over VPN option, which is even safer and very easy to implement if you configure your router or create a virtual machine. Yes, you’ll have to pay for two memberships, but vendors such as SurfShark make it a very affordable option.
We hope that the information we’ve presented to you in this article gives you all the information you need to make an informed choice about multi-hop connections. Is it right, easy, and affordable for you? Now you know everything you need! So please take a moment to figure out the option that suits you better and go for it. But above all, stay safe!
About the author
Tech researcher and writer with a passion for cybersecurity. Alex is a strong advocate of digital freedom and online privacy.