vpn chaining/nesting; what do providers see?

Posted on 2011-04-29
Last Modified: 2012-05-11
I've chained two vpns (openvpn over pptp). Do both providers see where I'm from and what my destination is? Is it possible to nest them so that each provider sees only either the source or destination?
Question by:11friend
    LVL 32

    Assisted Solution

    Source and destination don't change just by running a VPN within a VPN.

    To chain them, you to VPN from Location A  to Location B.  Then have a tunnel from Location B to Location C...and on and on.

    I believe that is the idea behind tor, the onion router.  The last link can see your unencrypted traffic, but doesn't know the requestor.  The first link knows the requestor, but doesn't see the data because it's encrypted.

    For simple anonymity, you can look at a paid service like   They are there for personal privacy, or privacy for research.  Not privacy for criminal activity...they will comply with court order or law enforcement investigation.

    But, the Windows client is decent.  The iPhone/iPad client is problem free, and you don't notice any major difference in speed.  You need to have a paid account, then download the app through a web page.
    LVL 60

    Expert Comment

    This would be related.


    Proxy chaining doesn't do anything but shift the risk to the weakest party involved. If you don't trust the VPN company not to know your identity, then you should not trust them to handle your exit traffic. Presume you did use an intermediary service between you and them. With access to your exit traffic they can discover your identity by watching your traffic and the sites you visit, or evil code injection to cause your VPN connection to leak or phone home outside the VPN.

    Author Comment

    Breadtan do you confim the second VPN company has only IP of the first one (but with some extra work gets the reall one)?
    What exactly did you mean by 'evil code injection' and 'phone home outside the VPN'?
    LVL 60

    Accepted Solution

    I did not try it though but we know that VPN fundamental is to encapsulate the data within and only reveal it till the terminating point of the VPN server. So if the case is that the first connection to PPTP is established, the PPTP server (company A) know your "internal" IP (to be assigned). Thereafter, when you attempt OpenVPN, assuming split tunneling, it would be independent IP and the Company B would not see your internal IP in Company A. I did not verified that though, do share if otherwise :)

    Also we know that OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. Packets sent by an operating system via a TUN/TAP driver are delivered to a user-space program that attaches itself to the driver. A user-space program may also pass packets into a TUN/TAP driver. In this case TUN/TAP driver delivers (or "injects") these packets to the operating system network stack thus emulating their reception from an external source.

    Since we are using same machine, assuming it is compromised, I do not see it impossible that the malware to inject itself into the TUN/TAP driver layer either for tampering or intercepting to fill the data to be exfiltrated. The machine has since become a bridge for data leakage between Company A and Company B.

    Suggestion is not to have such VPN chaining where possible especially when we know that PPTP is as secure as the user password and the crypto used is weaker as compared to OpenVPN. The weakest link is PPTP even if you employed another stronger VPN such as OpenVPN

    Hope that I have helped as much as I did not verified my thoughts ....

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now