Jump to content
Not connected, Your IP:

Routing based on destination network

Recommended Posts

I believe that passing as few hops as possible on the Internet is a good thing in terms of privacy, security and stability. So I was thinking about developing a setup where I would route traffic to IPs in to country X to the VPN exit node in country X, and traffic to country Y to a VPN exit node in country Y, and so on... This could easily be setup in a router like pfSense etc.


I would love to hear your reflections/comments on the security and privacy in such a setup.



Share this post

Link to post

You will probably create more problems than you are trying to solve, for examples with CDNs.

This will make you have the same amount of captchas as a Tor user.


I also don't see how it will reduce hops.

1) Your ISP > AirVPN > destination

2) Your ISP > AirVPN > VPN in destination country > destination


So even if AirVPN have 20 countries covered, you will need at least 20 more in order to reach

the majority of the internet, and of course more VPN accounts.


Not sure why this is a good idea.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

​Thanks for commenting. Regarding the hops: The number of hops from source-IP to destination-IP would most likely be fewer the shorter the distance (when only looking at hops from the exit node where the traffic will be unencrypted). If I access a server in HK and I use an exit node in DE, my traffic is more exposed to tapping than if I used the exit node in HK. Edward Snowden talked about this in his keynote in LibrePlanet 2016, so I started thinking about this issue.

Share this post

Link to post

Can you please link to a post/video where Snowden, or anyone else for this matter,

states that it is better to setup country based policy routing and multiple VPN endpoints

in order to avoid or minimize survellience?


The idea is to decentralize as much as possible, not to use the same nodes over and

over again in order to connect to same destinations. Unless you have specific needs:

Sounds feasible if you are a CDN or an internet exchange point, and might potentially

reduce transit costs, but for an individual user I see no benefit of this scheme, quite

the opposite.

Complexity is always the "silent enemy" of security. Such setup would require keeping

dozens of VPN accounts and sessions, setting up complex rules and having a very long

routing table. And the troubleshooting of a failed node will be only possible after connectivity

loss, which might find you at the wrong time.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...