Multihop with WireGuard
WireGuard Windows Linux macOS Desktop Feature Multihop
Data ostatniej aktualizacji:
What
Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to sub-optimal ISP peering. Each WireGuard® server is connected to all the other WireGuard servers through WireGuard tunnels. This means you can multihop from one server to another.
Since data will be encrypted end-to-end this solutions adds security and privacy benefit even if the first server is compromised (as compared to the SOCK5 solution). However you can use the SOCKS5 solution in combination with described solution's here and end up with a triple-hop-solution with different exit node per application.
How
The easiest way is to enable Multihop in the Mullvad app settings. Go to Advanced > VPN settings > WireGuard settings > Enable multihop. You can then go back and click on Switch location and select an Entry location and Exit location.
If you use WireGuard without the Mullvad app then you can go to the WireGuard configuration generator and enable Multihop in the Advanced settings.
For advanced users read the Multihop section of WireGuard on Linux terminal (advanced).
Why
Increasing your privacy
Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security even if one server were to be compromised. Adversaries would need to launch timing attacks against the traffic in multiple locations in order to analyze your online usage.
Possible threats to single hop VPN
A key question is whether you can trust the data center where the VPN server is located. VPN services such as Mullvad rent or lease servers from data centers all over the world for their network. VPN servers are encrypted, secure, and under the control of Mullvad, thereby preventing third-party access to sensitive user-data and traffic.
But, the data-center could be forced, or unknowingly equipped with monitors of incoming and outgoing traffic, on the VPN server. This can also account for the transit providers that provide internet connectivity to the data-center. Users should take some monitoring of all traffic into account, at least traffic that crosses national borders. The typical minimal monitoring requirement is who connects to whom, including traffic volumes, and at what time (registering IP addresses and time stamps). If using one single VPN server, timing analysis could be performed by someone having access to this monitoring data, plus data logged from the external service that you used after connected to a VPN server.
Multihop - Another layer of security
Even though a standard, single-hop VPN configuration will be adequate for the majority of users, incoming/outgoing traffic correlation may still be possible. Multihop adds another level of security for those concerned where the correlating of in and outgoing traffic over several locations (with different ISP and hosting providers) and preferably nations, becomes even more difficult.
Improving latency/performance
Generally, Multihop will make your connection slower over distance. BUT, a lot of ISPs do not work that well together (they have inefficient peering or no peering at all), and by combining entry and exit nodes, you could end up using an ISP that works better together (yours, Mullvad’s, and the service you are using), ending up with a faster connection than without a VPN or Multihop. It might be useful to try and combine entry and exit nodes in order to resolve speed issues.
"WireGuard" is a registered trademark of Jason A. Donenfeld.