multi-hop + DAITA-like system

[supplement 0]

Mullvad's DAITA is a very interesting approach to the emergence of AI and the possibility of correlating packet size in real time in order to deanonymize the user.

Are there any plans to implement multi-hop? It would help against two issues:

- The ISP can see which VPN server you are connected to
- The datacenter's ISP can log the user's IP. Using a two-layered approach helps against this.
 

Edited ... by supplement

[Staff 10111]

On 3/4/2025 at 8:53 PM, supplement said:

Are there any plans to implement multi-hop?

Hello!

Multi-hopping is a client side feature. And yes, in 2012 a special "OpenVPN over Tor" mode was implemented in the Eddie AirVPN software for Desktop systems. The main "alien entity" used to multi-hop in a way that really enhances the anonymity layer strength is the Tor network as usual, as it provides a very balanced solution between usability, reliability and effectiveness.

In the near future we could implement a double-hop support inside the same AirVPN network on the AirVPN Suite for Linux. It's not the most effective method to enhance the anonymity layer (because both hops belong to AirVPN) but it could be appreciated as a small additional comfort according to the feedback we have.

DAITA is currently overkill because in real life AIs fail miserably. The high success rates comes out only when you have a limited sample of very few services, such as 10 pre-agreed web sites, and the target browses only those 10 with no other protocol complications, quite an unrealistic assumption. However, AI abilities can become relevant in the future to harm privacy and understand, with no needs to break encryption, which web sites a user visits, thus we don't rule out that we will implement specific techniques (especially on WireGuard) in due time.

Kind regards
 

[supplement 0]

Could it be possible that there is en masse packet size collection?

[iwih2gk 95]

Staff said: Multi-hopping is a client side feature.

I use VPN chaining somewhat often.  It is trivial to setup.  Usually I prefer to add TOR to my first VPN hop, but sometimes a file download would take forever in that configuration.  If I am on a safe site downloading a safe file but just want privacy then I quickly mount a dual VPN server route.  I get pretty amazing speeds using two Air servers.  Certainly adequate and then some.  Simple stuff!!

[supplement 0]

On 3/8/2025 at 12:41 AM, iwih2gk said:

I use VPN chaining somewhat often.  It is trivial to setup.  Usually I prefer to add TOR to my first VPN hop, but sometimes a file download would take forever in that configuration.  If I am on a safe site downloading a safe file but just want privacy then I quickly mount a dual VPN server route.  I get pretty amazing speeds using two Air servers.  Certainly adequate and then some.  Simple stuff!!

How?

[iwih2gk 95]

22 hours ago, supplement said:

On 3/7/2025 at 10:41 PM, iwih2gk said:

I use VPN chaining somewhat often.  It is trivial to setup.  Usually I prefer to add TOR to my first VPN hop, but sometimes a file download would take forever in that configuration.  If I am on a safe site downloading a safe file but just want privacy then I quickly mount a dual VPN server route.  I get pretty amazing speeds using two Air servers.  Certainly adequate and then some.  Simple stuff!!

How?

Just to put you with me on the same page.  I use ONLY Linux systems but the same can easily happen using Windows if desired.  ALL my internet workspace is done on VM's.  My Host operating system is Mint 22.1.  On the host I install and configure Eddie exactly how I like it to run for my instance, picking preferred servers, etc...  (As a side note I also configure an NFT firewall so the host cannot EVER go online until AirVpn is connected.  It prevents me from accidentally going to workspace using my ISP IP by mistake).  That quick side note actually has nothing to do with what you asked, I just threw it in for free, LOL!

Next I launch any number of Virtual Machines as required for the mission I am on at the time.  Each of my Virtual Machines has Eddie installed as well.  If desired I just connect to another instance of Eddie on the newly mounted virtual machine.  My VM's by default are NAT connected to the host OS.  So now the connection is Airserver #2 going to the host, which is Airserver#1 back to my computers.  If you bring up the Eddie stats page you will see the incoming IP on server #2 as the outgoing of server #1 from the host OS.  Make sense??  I am on very fast fiber so the speed loss is not that significant, but it does drop just a bit.  It would also be trivial to build VM's for the sole purpose of providing an internet server connection meaning you could build a circuit to use 3 or more servers, but that doesn't have much application for me so I don't.  In full candor most of my day is spent on TOR for workspace so my config is Airserver#1 on the Host OS and on the VM's I connect via the TOR browser (such as making this very post).  No need for the second vpn server when server one is followed up by 3-4 TOR servers.   When TOR won't do what I need I can quickly bring up Eddie and add another VPN server IF I feel it might add some additional privacy to my mission.

[supplement 0]

2 hours ago, iwih2gk said:

Just to put you with me on the same page.  I use ONLY Linux systems but the same can easily happen using Windows if desired.  ALL my internet workspace is done on VM's.  My Host operating system is Mint 22.1.  On the host I install and configure Eddie exactly how I like it to run for my instance, picking preferred servers, etc...  (As a side note I also configure an NFT firewall so the host cannot EVER go online until AirVpn is connected.  It prevents me from accidentally going to workspace using my ISP IP by mistake).  That quick side note actually has nothing to do with what you asked, I just threw it in for free, LOL!

Next I launch any number of Virtual Machines as required for the mission I am on at the time.  Each of my Virtual Machines has Eddie installed as well.  If desired I just connect to another instance of Eddie on the newly mounted virtual machine.  My VM's by default are NAT connected to the host OS.  So now the connection is Airserver #2 going to the host, which is Airserver#1 back to my computers.  If you bring up the Eddie stats page you will see the incoming IP on server #2 as the outgoing of server #1 from the host OS.  Make sense??  I am on very fast fiber so the speed loss is not that significant, but it does drop just a bit.  It would also be trivial to build VM's for the sole purpose of providing an internet server connection meaning you could build a circuit to use 3 or more servers, but that doesn't have much application for me so I don't.  In full candor most of my day is spent on TOR for workspace so my config is Airserver#1 on the Host OS and on the VM's I connect via the TOR browser (such as making this very post).  No need for the second vpn server when server one is followed up by 3-4 TOR servers.   When TOR won't do what I need I can quickly bring up Eddie and add another VPN server IF I feel it might add some additional privacy to my mission.

Are you using something similar to Qubes? Is it impactful on resources?

[iwih2gk 95]

supplement,  I am sorry if my response went past you.  No I am not using Qubes in this example.  Its pure Linux.  Linux is my host or "main" supporting operating system.  On it I installed VirtualBox and then created separate virtual machines, which are fully functioning linux operating systems on their own.  The separate virtual machines connect through the Host using a NAT (shared internet adapter and connection) but the Host does not see what the independent machines are doing really.  Using these machines - for this example on this thread - they can create their own VPN connection and combine that with the one already on the host.  This allows for VPN chaining of relays if that is something you want to do.

This then is an overview.  If you want to discover where to follow up I suggest a linux/virtualbox forum for some great reading.