• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1259
  • Last Modified:

vpn chaining/nesting; what do providers see?

I've chained two vpns (openvpn over pptp). Do both providers see where I'm from and what my destination is? Is it possible to nest them so that each provider sees only either the source or destination?
  • 2
2 Solutions
Source and destination don't change just by running a VPN within a VPN.

To chain them, you to VPN from Location A  to Location B.  Then have a tunnel from Location B to Location C...and on and on.

I believe that is the idea behind tor, the onion router.  The last link can see your unencrypted traffic, but doesn't know the requestor.  The first link knows the requestor, but doesn't see the data because it's encrypted.

For simple anonymity, you can look at a paid service like Anonymizer.com   They are there for personal privacy, or privacy for research.  Not privacy for criminal activity...they will comply with court order or law enforcement investigation.

But, the Windows client is decent.  The iPhone/iPad client is problem free, and you don't notice any major difference in speed.  You need to have a paid account, then download the app through a web page.
btanExec ConsultantCommented:
This would be related.

@ http://www.wilderssecurity.com/showthread.php?t=244349

Proxy chaining doesn't do anything but shift the risk to the weakest party involved. If you don't trust the VPN company not to know your identity, then you should not trust them to handle your exit traffic. Presume you did use an intermediary service between you and them. With access to your exit traffic they can discover your identity by watching your traffic and the sites you visit, or evil code injection to cause your VPN connection to leak or phone home outside the VPN.
11friendAuthor Commented:
Breadtan do you confim the second VPN company has only IP of the first one (but with some extra work gets the reall one)?
What exactly did you mean by 'evil code injection' and 'phone home outside the VPN'?
btanExec ConsultantCommented:
I did not try it though but we know that VPN fundamental is to encapsulate the data within and only reveal it till the terminating point of the VPN server. So if the case is that the first connection to PPTP is established, the PPTP server (company A) know your "internal" IP (to be assigned). Thereafter, when you attempt OpenVPN, assuming split tunneling, it would be independent IP and the Company B would not see your internal IP in Company A. I did not verified that though, do share if otherwise :)

Also we know that OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. Packets sent by an operating system via a TUN/TAP driver are delivered to a user-space program that attaches itself to the driver. A user-space program may also pass packets into a TUN/TAP driver. In this case TUN/TAP driver delivers (or "injects") these packets to the operating system network stack thus emulating their reception from an external source.

Since we are using same machine, assuming it is compromised, I do not see it impossible that the malware to inject itself into the TUN/TAP driver layer either for tampering or intercepting to fill the data to be exfiltrated. The machine has since become a bridge for data leakage between Company A and Company B.

Suggestion is not to have such VPN chaining where possible especially when we know that PPTP is as secure as the user password and the crypto used is weaker as compared to OpenVPN. The weakest link is PPTP even if you employed another stronger VPN such as OpenVPN


Hope that I have helped as much as I did not verified my thoughts ....

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now