Chaining VPNs before Tor (VPN>VPN>VPN>VPN>Tor). Is it more private?

IVPN, a PrivacyGuides reccomended VPN, suggests chaining commercial VPNs purchase through cryptocurrency as a way to increase the anonymity before Tor. That way if a Tor connection is deanonymized, the attacker would also have to deanonymize seperate VPN providers, either using netflow or attempting to pressure companies to log data.

Connection-Two-VPNs-light865×174 11.4 KB

Chains-light777×544 12.2 KB

Each star denotes a VPN exit, with an invariant IP address that’s shared by all users. Two VPN services (VPN1 and VPN2) form the backbone. A third VPN service, routed through VPN2, provides multiple simultaneous exits (VPN3a and VPN3b). A Tor client, also routed through VPN2, provides Internet access through a cloud of frequently changing exit IP addresses that are shared by many other users. Finally, a fourth VPN service (VPN4) is routed through the Tor connection.

For most internet browsing, VPN4 can be excluded because it weakens anonymity.

Each VPN tunnel in a nested chain provides some degree of separation and anonymity. How much depends on such factors as the number of concurrent users, what the service logs, and the availability of any logs to adversaries. But generally, your risk of association is greatest with the VPN1 exit, less with the VPN2 exit, and even less with the VPN3a and VPN3b exits. Tor connections arguably provide far more separation and anonymity, so your risk of association through the Tor exit cloud is far less than through the VPN3 exits.

Source: IVPN - Guides - advanced-privacy-and-anonymity-part-3

Whether or not this provides more anonymity, or potentially harms it, is a subject of debate within security community. The plan is to use this setup for providing anonymity against governments with the capability to monitor large sections of the internet. Mullvad’s DAITA, when used as a link, could help battle AI analysis threat.

Of course, when I ran tests on this, internet connection speed was horrific, a few kilobytes per second, but the slow speeds is worth it, if it lowers the chances of the source IP being discovered through traffic analysis.

I would like to hear your opinion on this.

Overkill.
Tor > VPN paid with Monero is enough for both privacy and usability.
VPN > Tor to post sensitive materials and access .onion web
I2P as alternative.

Everything else like that 7 proxies thing is just simply stupid.

Like you said, your speed is gonna be terrible and it’s just overall a really janky setup. There’s services like iCloud Private Relay and Obscura VPN that are built from the ground up to use multiple hops from different companies, but they have their limitations of course. Nym looks promising as well, you could try it out and see what you think. For now I think Tor is going to be massively better than trying to chain VPNs together anyway, and there’s a lot of options being worked on to fill this niche. Watch and see when Obscura supports your operating system of choice because I think that’ll be a much better experience than chaining VPNs together.

As for chaining VPNs before Tor, really insane idea to me. Tor is already a complete system, you don’t really need anything in front of it unless you need to hide that you’re on Tor, say it’s illegal where you live or blocked (this is definitely a weakness of Tor).

Please see TorPlusVPN · Wiki · Legacy / Trac · GitLab

Source for this? (Curious)

Mullvad DAITA always use two hops, so it seems enough. Remember that will be 5 hops in total, all of them using anti-fingerprinting analysis (For also has protection for this).

As said above, using Nym could be an option, but Nym already has 5 hops and they actually delay packages on each hops, so you are probably looking at 30% Tor Speed.

How did you chain the VPNs together?

multihop is optional with daita iirc

Yep, that is correct

Is daita enough of a killer feature to recommend mullvad over ivpn for browsing?

The cynical take here is that VPN companies will win with this setup especially when a lot of the VPNs are owned by the same company.

I know the ones we trust here aren’t owned by the same company and it sort of should be ok but the usability of this is still outright bad and would still trigger all the captchas. If you have to do this Mullvad paid with Monero or cash should be enough then to go to Tor from there.

Gestures at the internet: the amount of internet that can be served over kb connections can be listed on a website of “text only web pages”

For that level of worry, might as well spin up an i2p client between you and the vpn. Or just use i2p.

I think that just using tor to visit an onion address gets you 6 hops from the get go.

VPN before tor also requires you to reset the tor browser so you’re not using the same key server.

You are actually right, but they have very few DAITA servers so it will most of the time automatically multi-hop so your entry point is the server you selected and the exit is the DAITA VPN server.

Waste. Just use multihop vpn on RDP server. Most tor exploits try to interact with your OS so use RDP for added security.