From Newsgroup: comp.sys.mac.system

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 9/3/24 15:39, david wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

Theoretically you can.

Technicalities come into play.

Most VPNs add a default route to cause all traffic to run through the
VPN. So when you start the second VPN it alters the default route to go through it thus usurping the first VPN. Humans can be smarter than this
and work around it.

The other common problem is related to NAT and the VPN protocol. Some
NATing routers assume that all traffic for some VPN protocols goes
specific places (stateful table) and the second VPN breaks this assumption.

You probably can make multiple VPNs work. It's going to be annoying at
best and difficult to impossible with wizards.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

david <this@is.invalid> wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

How are you going to tell the 1st VPN's exit node (that you don't know
what it will be, or how to send redirection commands to it) where to
find the 2nd VPN's entry node?
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 9/3/24 22:16, VanguardLH wrote:

How are you going to tell the 1st VPN's exit node (that you don't
know what it will be, or how to send redirection commands to it)
where to find the 2nd VPN's entry node?

That all has to do with routing.

route add ${VPN_1_OUTSIDE_REMOTE_ENDPOINT} via ${ISP_GW}
route add ${VPN_2_OUTSIDE_REMOTE_ENDPOINT} via
${VPN_1_INSIDE_REMOTE_ENDPOINT}
route add default via ${VPN_2_INSIDE_REMOTE_ENDPOINT}



Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 2024-09-04 01:05:21 +0000, Grant Taylor said:

On 9/3/24 15:39, david wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

Theoretically you can.

Technicalities come into play.

Most VPNs add a default route to cause all traffic to run through the
VPN. So when you start the second VPN it alters the default route to
go through it thus usurping the first VPN. Humans can be smarter than
this and work around it.

The other common problem is related to NAT and the VPN protocol. Some NATing routers assume that all traffic for some VPN protocols goes
specific places (stateful table) and the second VPN breaks this
assumption.

You probably can make multiple VPNs work. It's going to be annoying at
best and difficult to impossible with wizards.

Doesn't tak much wizardry really. Start a normal VPN under MacOS. Open
your web browser and use a web-based VPN to then visti a website.
You've got a double VPN. You could use that web0-based VPN to visit
another web-based VPN, getting a triple VPN.

Of course, each layer you add slows down your connection to the final
website because it has to go through all those VPN systems. It's also
pretty pointless (despite what crime-tech dramas like to use in their storylines about people hackers bouncing their conneciton all around
the world).



--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On Wed, 4 Sep 2024 17:47:26 +1200, Your Name wrote:

Open your web browser and use a web-based VPN to then visit a website. You've got a double VPN.

Everyone already does that using the free Epic or Opera VPN browsers. https://epicbrowser.com/
https://www.opera.com/features/free-vpn

But what the OP is asking about is system-wide VPN, not browser VPN.
Grant is answering the question of system-wide double VPN'ing.

It would be nice to see an example of that working with one of the many available no-registration free VPNs out there, such as "vpngate.net".
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On Wed, 4 Sep 2024 01:05:43 -0500, Harry S Robins wrote:

Grant is answering the question of system-wide double VPN'ing.

It would be nice to see an example of that working with one of the many available no-registration free VPNs out there, such as "vpngate.net".

I'd like to see this vpn inside of vpn example running with one of the main free vpns like tunnelbear or vanwa.tech or protonvpn or freeopenvpn.org.

If vpn inside of vpn actually works, it should work with one of those.

None of them require registration so you don't have to physically agree to
any of their terms, nor do you pay them, nor do you even need to register a credit card and they don't know what IP address you'll be coming from ahead
of time, so they can't lock you out for coming from some other IP address
like Google mail does when you use VPN.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 2024-09-04 06:05:43 +0000, Harry S Robins said:

On Wed, 4 Sep 2024 17:47:26 +1200, Your Name wrote:

Open your web browser and use a web-based VPN to then visit a website.
You've got a double VPN.

Everyone already does that using the free Epic or Opera VPN browsers. https://epicbrowser.com/
https://www.opera.com/features/free-vpn

But what the OP is asking about is system-wide VPN, not browser VPN.
Grant is answering the question of system-wide double VPN'ing.

It would be nice to see an example of that working with one of the many available no-registration free VPNs out there, such as "vpngate.net".

I was answering the statement that you cannot use mutliple VPNs without
some sort of wizardry. As I said, you can set-up a system wide VPN and
*then* use a web-based VPN within the browser - that gives you a double
VPN. Keep chain-linking web-based VPNs and you'll have multiple VPN
layers. It's relatively easy and requires no wizardry, but is rather pointless.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 04/09/2024 08.05, Harry S Robins wrote:

On Wed, 4 Sep 2024 17:47:26 +1200, Your Name wrote:

Open your web browser and use a web-based VPN to then visit a website.
You've got a double VPN.

Everyone already does that using the free Epic or Opera VPN browsers. https://epicbrowser.com/
https://www.opera.com/features/free-vpn

But what the OP is asking about is system-wide VPN, not browser VPN.
Grant is answering the question of system-wide double VPN'ing.

It would be nice to see an example of that working with one of the many available no-registration free VPNs out there, such as "vpngate.net".

I guess this would be "simple" with a distribution like QubeOS, you
should be a able to have one gateway-container that connects over vpn,
then another one uses that gateway-container as it's gateway and setup
it's own vpn and then you say other applications will use the last
gaterway container as the gateway to the internet.

For those that don't want to use QubeOS or don't want to experiment with containers of different types, then I would suggest use your routers vpn feature to setup first vpn (sure you need a bit better than just the
cheapest one from alibaba), then you can set up your vpn as usually.

This feels like you don't trust the first vpn but you trust the second
one, then use the second one directly.
--
//Aho
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On Wed, 9/4/2024 6:10 AM, J.O. Aho wrote:

This feels like you don't trust the first vpn but you trust the second one, then use the second one directly.

It's an attempt to "go through seven proxies" :-)

"Don't worry I'm behind 7 proxies"

Paul

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 04/09/2024 14:04, Paul wrote:
<snip>

Paul

Hello Paul

I've tried not to bother you for quite some time now! 🙂

Right now, I simply wish to report that my cyber-friend, for many years,
Philip 'Philo' Kastner, who lived in Milwaukee, Wisconsin, USA, was
found dead on the floor of his workshop last week.

He will be sadly missed.

https://www.facebook.com/philip.kassner
--
Kind regards,
David


--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 2024-09-03, david <this@is.invalid> wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

What would be the benefit of doing that?
--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On Tue, 3 Sep 2024 22:16:49 -0500, VanguardLH <V@nguard.LH> wrote:

david <this@is.invalid> wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

How are you going to tell the 1st VPN's exit node (that you don't know
what it will be, or how to send redirection commands to it) where to
find the 2nd VPN's entry node?

Hire a "Felicity-level" hacker to do it with three mousey clicks.

That's what everyone else does on TV and in movies.

Don't try to tell us that it's not that simple in Real Life. I've
seen *dozens* of them do it hundreds of times.

Though Sargeant Bailey did have some issues with a website, once, but
that was an exception and super-secure so it's excusable.

J.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On Wed, 9/4/2024 11:12 AM, David Brooks wrote:

On 04/09/2024 14:04, Paul wrote:
<snip>

    Paul

Hello Paul

I've tried not to bother you for quite some time now! 🙂

Right now, I simply wish to report that my cyber-friend, for many years, Philip 'Philo' Kastner, who lived in Milwaukee, Wisconsin, USA, was
found dead on the floor of his workshop last week.

He will be sadly missed.

https://www.facebook.com/philip.kassner

I wonder if he knew his number was up.

He came back for a while, just recently, and
playing around with computers seemed to be
what he was up to. (Presumably in the workshop a lot)

Yes, a nice guy. Could use more of them.

Paul
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 04/09/2024 22:28, Paul wrote:

On Wed, 9/4/2024 11:12 AM, David Brooks wrote:

On 04/09/2024 14:04, Paul wrote:
<snip>

    Paul

Hello Paul

I've tried not to bother you for quite some time now! 🙂

Right now, I simply wish to report that my cyber-friend, for many years,
Philip 'Philo' Kastner, who lived in Milwaukee, Wisconsin, USA, was
found dead on the floor of his workshop last week.

He will be sadly missed.

https://www.facebook.com/philip.kassner

I wonder if he knew his number was up.

He came back for a while, just recently, and
playing around with computers seemed to be
what he was up to. (Presumably in the workshop a lot)

Yes, a nice guy. Could use more of them.

Paul

Much like you, he was honest and true.

Thank you for acknowledging my post.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 03.09.2024 um 14:39 Uhr david wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

It is possible to do so with specific routing rules because VPN works
at the routing level.
You may need to change the routing table.
E.g. you have a VPN-Server 1 on 2001:db8::1, you need a routing table
entry like
2001:db8::1/128 via - normal default router
This will make sure traffic to VPN1 goes through the normal connection.
Then you need VPN on 2001:db8:2::2.
You now need a rule
2001:db8:2::2/128 via <Tunnel-dev on VPN 1>
From this one you get a default route (::/0) that goes through the
VPN tunnel 2 device.
::/0 dev-vpn-tun2
--
kind regards
Marco
Send spam to 1725367187muell@cartoonies.org
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 9/4/24 01:10, Bill Powell wrote:

If vpn inside of vpn actually works, it should work with one of those.

Using multiple VPNs that use the same protocol is almost certainly
technically possible.

But using different protocols will make configuration considerably easier.

E.g. IPsec / OpenVPN / Wireguard
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

In alt.comp.os.windows-10, on Tue, 3 Sep 2024 14:39:47 -0600, david <this@is.invalid> wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

Why can't you have a girlfriend when you've already got a girlfriend?

...Oh, wait.

Why can't you be riding on one train when you're already riding on
another train? Yeah, let's go with that.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 2024-09-08 04:20:15 +0000, micky said:

In alt.comp.os.windows-10, on Tue, 3 Sep 2024 14:39:47 -0600, david <this@is.invalid> wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

Why can't you have a girlfriend when you've already got a girlfriend?

...Oh, wait.

Why can't you be riding on one train when you're already riding on
another train? Yeah, let's go with that.

Technically you can ... if the first train is being carried as cargo by
a second train. :-p

But realistically that example doesn't work. It would be more like the
second train pushing the first train. It's basically a daisy chain of
VPN servers, each connecting to the next one, so you data has to pass
through each one in turn.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On Sun, 9/8/2024 1:39 AM, Your Name wrote:

On 2024-09-08 04:20:15 +0000, micky said:

In alt.comp.os.windows-10, on Tue, 3 Sep 2024 14:39:47 -0600, david
<this@is.invalid> wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

Why can't you  have a girlfriend when you've already got a girlfriend?

...Oh, wait.

Why can't you be riding on one train when you're already riding on
another train?   Yeah, let's go with that.

Technically you can ... if the first train is being carried as cargo by a second train.  :-p

But realistically that example doesn't work. It would be more like the second train pushing the first train. It's basically a daisy chain of VPN servers, each connecting to the next one, so you data has to pass through each one in turn.

As long as you're behind seven proxies when playing
with the trains, you're going to be fine.

Paul
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 03/09/2024 22.39, david wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

Yes you can, there is a number of solutions to this. but let's not go
into details as many of the posts already poked on them.

The real question is why would you want to do that? You tend to get no
further "security" of "anonymity" of it. The last VPN will be the one
that can decipher your traffic anyway.
--
//Aho
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

micky wrote on 8/9/24 2:20 pm:

In alt.comp.os.windows-10, on Tue, 3 Sep 2024 14:39:47 -0600, david <this@is.invalid> wrote:

What I don't get is if you're on your isp, you can get on vpn.
So why can't you get on another vpn when you're already on vpn?
Or, maybe, you can?

Why can't you have a girlfriend when you've already got a girlfriend?

You can, of course you can ...... unless you are meaning Girlfriends
WITH BENEFITS!! ;-P Some might suggest even then you can.

...Oh, wait.

Why can't you be riding on one train when you're already riding on
another train? Yeah, let's go with that.

If one train is 'repositioning' the other train ... then Sure, you can!!
--
Daniel
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

Using <news:lk547cFesj4U1@mid.individual.net>, J.O. Aho wrote:

The real question is why would you want to do that? You tend to get no further "security" of "anonymity" of it. The last VPN will be the one
that can decipher your traffic anyway.

Thank you and everyone for trying to point out that supposed futility.

Maybe I fundamentally misunderstand everyone who said what you said, which
is that the last VPN will be able to decipher your traffic no matter what.

But isn't that dead wrong?

Isn't that what double NAT'ing does, or, more to the point, TOR?

I mean, isolating the nodes is what TOR does (among other things, of
course, including a different encryption scheme for each TOR node).

Why does it work perfectly for TOR and not work at all for VPN?
Makes no sense to me that what works for TOR won't work for VPN.

Maybe I misunderstand you when you say the last VPN node knows what you're doing, just as the last TOR exit node knows what you're doing.

The anonymity part is that this last node doesn't know WHO you are.

To be clear, whether it's TOR or VPN, if you have a node between you and
that TOR node or VPN server, then they don't know who you are, I thought.

TOR -> Node 1 -> Node 2 -> Node 3 -> google
{Node 3 doesn't know your IP address which only Node 1 knows}
{All google knows is the IP address of Node 3)
{The encryption scheme is isolated between nodes}

VPN -> VPN server 1 -> VPN server 2 -> https://Epic/Opera -> google
{Server 2 doesn't know your IP address which only server 1 knows}
{All google knows is the IP address of Epic/Opera)'
{All Epic/Opera know is the IP address of VPN server 2)\
{The encryption scheme is isolated between nodes}

Or am I wrong?
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 08/09/2024 19.39, david wrote:

Using <news:lk547cFesj4U1@mid.individual.net>, J.O. Aho wrote:

The real question is why would you want to do that? You tend to get no
further "security" of "anonymity" of it. The last VPN will be the one
that can decipher your traffic anyway.

Thank you and everyone for trying to point out that supposed futility.

Maybe I fundamentally misunderstand everyone who said what you said, which
is that the last VPN will be able to decipher your traffic no matter what.

Exit points will be decrypting the data and forward the traffic to the intended server, then encrypt the reply and send it back. Sure this
don't mean they will automatically be a man in the middle, but they know
what server you tried to connect with, they may know what DNS requests
(at least know which name server you used) you done if they go use the VPN/TOR.

But isn't that dead wrong?

Isn't that what double NAT'ing does, or, more to the point, TOR?

It's just a try to hide the source, it don't hide the data you send, so
if you use TOR and you use the same exit point for a number of requests
they will know what you may be doing. There are or have been methods for
exit nodes to figure out the origin, which nullifies the point of TOR.

Why does it work perfectly for TOR and not work at all for VPN?

They work differently

When you tunnel a vpn over another vpn, it just makes the outer vpn to
keep your data one layer encrypted from you to the server of that vpn
(they will know which vpn you connect to), the there is the second
layer between the two vpns, the last vpn will know more or less
everything about you, so you don't get anything else than just an extra encryption of your date for a limited distance.

Unless your end vpn uses a really crappy encryption, you will not gain
any benefit from running vpn trough a vpn, just remember that the crappy encryption will still be there between the two vpns. The best is to just connect to the vpn you trust the most directly.

1
2 3
(you) EEEEEEEEEEEEEEEEEE> vpn1 ===============> vpn2 ----------------------------->(site)

Assuming the site you connect to uses https

1. Your ISP will know you use VPN1
Your data is encrypted 3 times

2. VPN1 knows that you use VPN2
The data is encrypted 2 times

3. VPN2 knows which IP and most likely the domain name too you connect to
The data is encrypted once


Assume the site is just using http

1. Your ISP will know you use VPN1
Your data is encrypted twice

2. VPN1 knows that you use VPN2
The data is encrypted

3. VPN2 can read your traffic
The data is in plain text from the VPN2 to the site

In all the cases the VPNs know your IP.
--
//Aho
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.sys.mac.system

On 9/8/24 13:15, J.O. Aho wrote:

In all the cases the VPNs know your IP.

I question the veracity of that.

Using your example:

(you) EEEEEEEEEEEEEEEEEE> vpn1 ===============> vpn2 ----------------------------->(site)

vpn1 knows (you) as the source and vpn2 the destination

vpn2 knows vpn1 as the source and (site) as the destination

(site) knows vpn2 as the source and itself as the destination

Depending on the type of business arrangement you have with vpn2, they
may not have any personally identifiable information about you and as
such can't correlate who you are independent of your source IP.

We see this type of nesting with Tor and Oblivious DoH.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114