VPN Chain Question

Discussion in 'privacy technology' started by Summy23, Sep 9, 2018.

  1. Summy23

    Summy23 Registered Member

    Joined:
    Sep 9, 2018
    Posts:
    3
    Location:
    Europe
    Hey folks,

    i have a question regarding the following setup:

    - Router is configures to tunnel every traffic through VPN Server A
    - A client behind this router is configured to Route every traffic through VPN Server B

    What kind of traffic could be logged at Server A and Server B?

    I assume Server A would see my real IP and only encrypted traffic with the target "Server B", while Server B would see unencrypted traffic and the target IP, but not the real source IP.

    Is this correct?

    Thank you guys!
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
  3. Summy23

    Summy23 Registered Member

    Joined:
    Sep 9, 2018
    Posts:
    3
    Location:
    Europe
    Thanks for your answer. Please lets go a little bit more into detail regarding my first question. I've read that there is a difference between a chained and an nested VPN connection.

    Chained connection: https://vpn-anbieter-vergleich-test.de/wp-content/uploads/2017/05/vpn-kaskade-einfach.png
    Nested connection: https://vpn-anbieter-vergleich-test...s/2017/05/verschachtelte-vpn-verbindungen.png

    Whereas the scheme for the nested connection seems to fit the situation that i have described in my first post.

    Can anyone please better describe me the difference between those two situations and what kind of traffic and IP Adresses "Server B" would see in both cases? Thank you!
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
  5. Summy23

    Summy23 Registered Member

    Joined:
    Sep 9, 2018
    Posts:
    3
    Location:
    Europe
    I'm sorry, i really tried to understand your article, but i'm still confused.

    The most important thing for me is: If I set it up as described in my first post (VPN Client on Computer connected to DD-WRT router with a seperate VPN), would the exit node be able to find out my real IP if he is malicious? Just trying to keep it simple. :/
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
    As I said in my first reply, what you proposed will work. If the router runs a VPN client, and is configured to route LAN traffic through the resulting VPN tunnel, everything on your computer will reach the Internet through that tunnel, and VPN exit server. My diagram shows exactly that, with VPN1 corresponding to your router. So a VPN client running on your computer will connect to its server through the router's VPN tunnel. And it will establish a tunnel nested inside the router's VPN tunnel. So apps on the computer will connect through the nested VPN chain.

    The router's VPN provider knows who you are, or at least your IP address, and also that you connect to another VPN server. But it can't see what you're doing online. It just sees encrypted traffic. The computer's VPN provider sees what you're doing online, except to the extent that you use end-to-end encryption. And it knows that you're connecting to it using the other VPN provider. But otherwise, it doesn't know who you are, except to whatever you reveal in paying for it. Or if there's personally identifiable information on the computer.

    So it's prudent to pay for the second VPN with well-mixed Bitcoin. Or cash in the mail. Or, less securely, a gift card purchased with cash, at least somewhat discreetly. And it's prudent to use a dedicated computer with the VPN chain, which contains no information associated with your meatspace identity. No email accounts. No social media. No shared family, friends, contacts, etc. Not even any shared interests. This is the essence of compartmentalization.

    Adversaries could deanonymize you from either end, by working back the chain. They'd go to the VPN provider that they know, with traffic logs, and seek to determine where the traffic of interest came from or went to. If that's another VPN provider, then they'd go to them with traffic logs, and seek to determine where the traffic of interest came from or went to. And so on, through however many VPNs you have in your chain, until they get to you.

    But some VPNs don't retain traffic logs, so maybe adversaries will hit a dead end. So let's say that adversaries will succeed on average 10% of the time with each VPN in the chain. With two nested VPNs, the overall success rate will be 1%. With three, it'll be 0.1%. And so on. And if the average success rate is 5% instead of 10%, the overall success rate with two VPNs will be 0.25%, and with three, 0.013%.
     
    Last edited: Sep 13, 2018 at 5:17 PM
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.