Noobiana_2014 3 Posted ... AirVPN must offer Multi-Hop double VPN and Tor OverVPN in openvpn config ? for maximum anonimyty and pain for spying agents to decrypt the traffic 1 Syntx reacted to this Quote Share this post Link to post
iwih2gk 93 Posted ... It is already possible. I do it all the time. In fact I am combining those now and using 5 hops to key this post. You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air. Its running very smoothly on my end and the connection is very reliable. You simply have to "teach" yourself how to do it, and its not that difficult to do! 1 vpnair33 reacted to this Quote Share this post Link to post
SagerMay 0 Posted ... It is already possible. I do it all the time. In fact I am combining those now and using 5 hops to key this post. You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air. Its running very smoothly on my end and the connection is very reliable. You simply have to "teach" yourself how to do it, and its not that difficult to do! could someone please elaborate on this. Quote Share this post Link to post
Keksjdjdke 35 Posted ... It is already possible. I do it all the time. In fact I am combining those now and using 5 hops to key this post. You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air. Its running very smoothly on my end and the connection is very reliable. You simply have to "teach" yourself how to do it, and its not that difficult to do! could someone please elaborate on this. I would also like for you to elaborate on this. Thanks Quote Share this post Link to post
zhang888 1066 Posted ... iwih2gk meant using Tor over VPN or VPN over Tor, maximizing your 3 connections.That will actually mean 6 hops (3 Tor ones and 3 Air ones), but this is going to be extremely slow as well. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
BSoD 4 Posted ... To set this up you might use one on the router, on on your main OS (windows, linux, ...) and for a third layer you might use a VM running linux which uses your third connection.I believe 5 hops (with tor) is overkill. If you use tor you'll know that 1 layer already slows it down a lot, this is normally barely an issue when just using it to post on the forum but if you try to watch videos (e.g. youtube) it will be very slow. On my setup my router randomly chooses a Europe IP And then I setup a second connection (preferably other country) from linux/windows Quote Hide BSoD's signature Hide all signatures Helping mankind one line of code at a time.Kind regards, Me Share this post Link to post
NaDre 157 Posted ... It is already possible. I do it all the time. In fact I am combining those now and using 5 hops to key this post. You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air. Its running very smoothly on my end and the connection is very reliable. You simply have to "teach" yourself how to do it, and its not that difficult to do! could someone please elaborate on this. I would also like for you to elaborate on this. Thanks If you want to do this without separate machines (physical or virtual), then this may help: https://airvpn.org/topic/11277-its-possible-connect-two-vpn-at-the-same-time/?p=16345 You have to manage your routing table yourself, rather than using OpenVPN's default set up. Since that was posted, AirVPN has switched from "net30" to "subnet" topology, which means that the procedure in that post will no longer work without another tweak. This is because if you attempt to make multiple connections using UDP on port 443 (for example), the remote address for all of them will be 10.4.0.1, resulting in a conflict. This can be overcome, but not simply. I don't want to spend time explaining unless you are still interested after reading the post above. To avoid the conflict, you could try the procedure with one connection using UDP on port 443, and another using TCP on port 443, so that the connection using TCP will have a remote end with IP address 10.5.0.1. I should add that in the past AirVPN staff have questioned the value of doing this unless the VPN connections are from independent providers. Quote Share this post Link to post
Guest Posted ... If you want to do this without separate machines (physical or virtual), then this may help: https://airvpn.org/topic/11277-its-possible-connect-two-vpn-at-the-same-time/?p=16345 You have to manage your routing table yourself, rather than using OpenVPN's default set up. Since that was posted, AirVPN has switched from "net30" to "subnet" topology, which means that the procedure in that post will no longer work without another tweak. This is because if you attempt to make multiple connections using UDP on port 443 (for example), the remote address for all of them will be 10.4.0.1, resulting in a conflict. This can be overcome, but not simply. I don't want to spend time explaining unless you are still interested after reading the post above. To avoid the conflict, you could try the procedure with one connection using UDP on port 443, and another using TCP on port 443, so that the connection using TCP will have a remote end with IP address 10.5.0.1. I should add that in the past AirVPN staff have questioned the value of doing this unless the VPN connections are from independent providers. That does work, but yeah if it's just multi-hop between AirVPN servers it has very little value, and adding it so that you can connect to non-AirVPN servers through AirVPN server would be a lot of work and tho they do have Tor over Air and such so it would be possible if they made changes, and then just make it so like with Viscosity you provide server info and it connects and routes. Quote Share this post Link to post
foxmulder 43 Posted ... FYI, here is an interesting read on Bestvpn.com i just stumbled across: https://www.bestvpn.com/chaining-vpn-servers-double-vpn/ Regards Fox Quote Share this post Link to post
iwih2gk 93 Posted ... That does work, but yeah if it's just multi-hop between AirVPN servers it has very little value I don't agree with that and here is why: I believe the Air tunnel is pretty much impenetrable from the outside. Lets assume that any adversary cannot penetrate the tunnel and read anything passing through regardless of the length (number of relays Air/Tor). That assumption standing, now an adversary can setup OUTSIDE of the tunnel and does so by monitoring the datacenters hosting VPN servers. This happens all the time and is completely beyond Air's control. So as an adversary I start logging ALL IP's coming into a target datacenter. Picture a bicycle wheel where the spokes are incoming IP's and the center is the datacenter/server. If I continue watching this bicycle wheel I will start to determine what a given spoke on the wheel is actually doing over time. Its a little beyond this post as to how its done but with time and one hop its not that difficult a process. Once I have zero'd in on a target IP I can then search the web for it using advanced tools. By using multiple hops and especially TOR I can effectively avoid an adversary zero'ing in on my actual IP because it is so removed from the exit node via hops. In the bicycle wheel metaphor picture 3 wheels where my one spoke comes to the center and then jumps from the center to become a spoke on wheel two and again the process contines until I become a spoke on wheel 3. The adversary watching the IP of wheel three's spoke is so removed. I hope this simplistic metaphor of the wheel helps to make it clear for you. This is easy on one computer using VM's/BSD/PfSense type stuff. Obviously, it would be better to have completely independent service providers since an "inside actor" compromise would leave you intact. Quote Share this post Link to post
foxmulder 43 Posted ... Yes, but this is a very specific scenario you are describing. In general, you don't need such a high amount of anonymity. Theoretically you are right, but it doesn't matter for the "average" user, who just wants a bit privacy. IMO the advantage of multi-hop doesn't outweigh the drawback in form of a heavy speed hit. But that is just my opinion on this. Regards Fox Quote Share this post Link to post
go558a83nk 362 Posted ... the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed. You access the program based on the port to which you connect. Not the usual ports of 443 or 53 but things like 52465 and such. There are thousands to choose from so plenty to have a program for every possible multi-hop within their system. Quote Share this post Link to post
iwih2gk 93 Posted ... the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed. You access the program based on the port to which you connect. Not the usual ports of 443 or 53 but things like 52465 and such. There are thousands to choose from so plenty to have a program for every possible multi-hop within their system. Do you have a link on this to support your post? By support (not being adversarial), I really mean to help us all visualize how its being internally handled. Self directing of a "tunnel within a tunnel" provides a safety factor in that I am controlling its construction, and thereby managing the avoidance of a breach in protocol. I would love to study this as described by you. Quote Share this post Link to post
go558a83nk 362 Posted ... the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed. You access the program based on the port to which you connect. Not the usual ports of 443 or 53 but things like 52465 and such. There are thousands to choose from so plenty to have a program for every possible multi-hop within their system. Do you have a link on this to support your post? By support (not being adversarial), I really mean to help us all visualize how its being internally handled. Self directing of a "tunnel within a tunnel" provides a safety factor in that I am controlling its construction, and thereby managing the avoidance of a breach in protocol. I would love to study this as described by you. You'd have to ask them how they actually do it. The provider I use (in addition to Air) actually calls them "chains" and you can build your own with several hops. https://thatoneprivacysite.net/vpn-comparison-chart/ that comparison chart shows there are currently 17 providers that provide multi-hop. Quote Share this post Link to post
chimney sweep 1 Posted ... I would also welcome a multi hop feature in the future. Being able to enter via one local AirVPN server and exit via another in another country would be something I'd like to try. Quote Share this post Link to post
Staff 9973 Posted ... the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed. You access the program based on the port to which you connect. Not the usual ports of 443 or 53 but things like 52465 and such. There are thousands to choose from so plenty to have a program for every possible multi-hop within their system. If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted. But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case. So, the REAL multi-hopping is what we already provide. The useless "multi-hopping" which is just a way to make your routing longer and nothing else is probably marketing fluff and as usual we will provide neither marketing fluff nor bloat-ware. If we miss something really useful for our mission in multi-hopping without multi-tunneling, please feel free to comment. Kind regards 7 nullstellensatz, RidersoftheStorm, iwih2gk and 4 others reacted to this Quote Share this post Link to post
iwih2gk 93 Posted ... the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed. You access the program based on the port to which you connect. Not the usual ports of 443 or 53 but things like 52465 and such. There are thousands to choose from so plenty to have a program for every possible multi-hop within their system. If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted. But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case. So, the REAL multi-hopping is what we already provide. The useless "multi-hopping" which is just a way to make your routing longer and nothing else is probably marketing fluff and as usual we will provide neither marketing fluff nor bloat-ware. If we miss something really useful for our mission in multi-hopping without multi-tunneling, please feel free to comment. Kind regards Thank you. That was exactly my point several posts up in this thread. Also, I'ld like to add that this method allows the user (ME in this case) to self construct my circuit where I have control on what happens within it. I would be weary as can be to submit my circuit to a "closed system" design where I just assume things are being handled securely. In a sense its part of my assuming a "partition of trust" responsibility. Quote Share this post Link to post
mithu90 0 Posted ... If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted. But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case could u describe this a little bitmor in detail ? whats the major difference from yours to other ones regards Quote Share this post Link to post
wintermute1912 6 Posted ... the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed. You access the program based on the port to which you connect. Not the usual ports of 443 or 53 but things like 52465 and such. There are thousands to choose from so plenty to have a program for every possible multi-hop within their system. If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted. But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case. So, the REAL multi-hopping is what we already provide. The useless "multi-hopping" which is just a way to make your routing longer and nothing else is probably marketing fluff and as usual we will provide neither marketing fluff nor bloat-ware. If we miss something really useful for our mission in multi-hopping without multi-tunneling, please feel free to comment. Kind regards If you run a VM with its own NIC and connect to a completely different VPN service in that VM is that a tunnel within a tunnel? (obviously the host machine is connected to its own VPN through its own NIC). Quote Hide wintermute1912's signature Hide all signatures Share this post Link to post