メインコンテンツに進む

Different entry/exit node using WireGuard and SOCKS5 proxy

WireGuard Windows Linux macOS Desktop Feature Multihop 

最終更新時刻:

What

By connecting to any of our WireGuard® servers and configuring your browser (or other SOCKS5 compatible software) to use another WireGuard server's SOCKS5 proxy, the browser’s traffic will EXIT in a different location than the WireGuard server you are connecting to. For example, you can connect using the Mullvad VPN app to a WireGuard server in Sweden, and configure your browser to use a SOCKS5 proxy in the US. Your browser traffic will then first enter a server in Sweden and then exit through a server the US. If you have separate browsers with separate settings, you can EXIT at the same time in several different locations. For example, by using Safari to exit in Sweden (no proxy) and Firefox to exit in the US (as in this example).

Note: This technique to jump from one server to another is generally called Multihop, however, even though all traffic between the WireGuard servers are encrypted, if someone has root access to the first server and the user data transported is not encrypted, the person with root access can see the data. If the data is encrypted with HTTPS the person with root access can see the domain names that are accessed (root access is something that only sysadmins at Mullvad have) and IP-addresses used. This is no different from our normal OpenVPN solution. However Multihop using our WireGuard guide protects even from root access to the entry server since it has end-to-end encryption.If you use the WireGuard configuration generator to enable multihop you can still use SOCKS5 as described here and add a third hop.

How

For instance, if you are connected to se1-wireguard.mullvad.net and then want to exit via se-mma-wg-004.relays.mullvad.net, you would configure your browser/program to use se-mma-wg-socks5-004.relays.mullvad.net on port 1080 as your exit node.

Example using Firefox:

  1.     Go to the Firefox menu.
  2.     Click on Preferences.
  3.     Scroll down to Network Proxy.
  4.     Click on Settings.
  5.     Select Manual proxy configuration.
  6.     Make sure HTTP/SSL and FTP proxy fields are empty.
  7.     In the SOCKS Host: field, enter se-mma-wg-socks5-004.relays.mullvad.net with port 1080.
  8.     Click on SOCKS v5 and enable "Remote DNS" or tick "Proxy DNS when using SOCKS v5".
  9.     Click on OK.
  10.     Navigate to our Connection check in order to verify the exit location.

Replace se4-wg.socks5.relays.mullvad.net above with any WireGuard server from our serverlist https://mullvad.net/servers/ Click on the server to see the SOCKS5 proxy address.

Why

Multihop can be used for many different reasons, for example, to increase your privacy or improve latency/performance due to sub-optimal ISP peering.

Increasing your privacy

Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security. Adversaries would need to launch timing attacks against the traffic in multiple locations in order to analyze your online usage. The solutions described in this guide with SOCKS5 does not protects from a compromised entry server (does not protect from the person having root access to the entry server).


Possible threats to single hop VPN

A key question is whether you can trust the data center where the VPN server is located. VPN services such as Mullvad rent or lease servers from data centers all over the world for their network. VPN servers are encrypted, secure, and under the control of Mullvad, thereby preventing third-party access to sensitive user-data and traffic.

But, the data-center could be forced, or unknowingly equipped with monitors of incoming and outgoing traffic, on the VPN server. This can also account for the transit providers that provide internet connectivity to the data-center. Users should take some monitoring of all traffic into account, at least traffic that crosses national borders. The typical minimal monitoring requirement is who connects to whom, including traffic volumes, and at what time (registering IP addresses and time stamps). If using one single VPN server, timing analysis could be performed by someone having access to this monitoring data, plus data logged from the service used.


Multihop - Another layer of security

Even though a standard, single-hop VPN configuration will be adequate for the majority of users, incoming/outgoing traffic correlation may still be possible. Multihop adds another level of security for those concerned where the correlating of in and outgoing traffic over several locations (with different ISP and hosting providers) and preferably nations, becomes  more difficult.


Improving latency/performance

Generally, Multihop will make your connection slower over distance. BUT, a lot of ISPs do not work that well together (they have inefficient peering or no peering at all), and by combining entry and exit nodes, you could end up using an ISP that works better together (yours, Mullvad’s, and the service you are using), ending up with a faster connection than without a VPN or Multihop. It might be useful to try and combine entry and exit nodes in order to resolve speed issues.


Additional Kill Switch

If you configure your browser, for example, to use the SOCKS5 proxy, it will direct all of your internet access via the proxy, which is only accessible through Mullvad. So, if you haven't turned on the app, your browser will prevent all internet access and therefore won't leak any information.

 

Important notes:

Your device needs to be connected to a Mullvad WireGuard server to be able to use the WireGuard proxies. If you use the Mullvad app, make sure it's set to use WireGuard and not OpenVPN.

 

 

"WireGuard" is a registered trademark of Jason A. Donenfeld.