Running IVPN in a multihop configuration on Linux can significantly improve privacy. Instead of connecting directly to a single exit node, you route your traffic through two (or more) VPN servers. This creates an additional layer of obfuscation, especially when combined with Linux’s built-in packet filtering framework — nftables.
Added Metadata Protection – Your ISP only sees an encrypted tunnel to the first hop.
Geolocation Separation – First hop and exit hop can be in different jurisdictions.
Custom Firewall Rules – nftables lets you lock down leaks and control routing precisely.
Before configuring:
An active IVPN account with access to WireGuard or OpenVPN configs.
Two server configs (entry and exit) for multihop.
Linux distribution with nft installed (Ubuntu 22.04+, Debian 12+, Fedora, Arch).
Root access or sudo.
IVPN’s WireGuard multihop works by chaining two tunnels. You first connect to an “entry” server; that server forwards your traffic through a second “exit” server. With OpenVPN you can replicate it using custom routes. With nftables, you can make the routing explicit and restrict leaks.
Log into your IVPN dashboard.
Select Generate WireGuard Config.
Choose an Entry Server (closest to you) and an Exit Server (desired location).
Download both .conf files.
For WireGuard:
sudo wg-quick up ivpn-entry.conf
sudo wg-quick up ivpn-exit.conf
Now you have wg0 (entry) and wg1 (exit).
Create /etc/nftables.conf or a dedicated ruleset:
table inet vpn {
chain input {
type filter hook input priority 0;
policy drop;
iif lo accept
ct state established,related accept
iifname "wg0" accept
iifname "wg1" accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
iifname "wg0" oifname "wg1" accept
}
chain output {
type filter hook output priority 0;
policy drop;
oif lo accept
ct state established,related accept
oifname "wg0" accept
oifname "wg1" accept
}
}
This ensures only VPN interfaces can send or receive traffic.
Use ip rule to direct traffic through the entry hop:
sudo ip rule add from 0/0 table 100 priority 100
sudo ip route add default dev wg0 table 100
Then ensure packets exiting wg0 go into wg1 as the next hop. This creates the chained effect.
Force all DNS to go through IVPN servers:
sudo resolvectl dns wg1 10.0.0.1
sudo resolvectl domain wg1 ~.
Block outbound UDP/53 on non-VPN interfaces in nftables.
sudo nft -f /etc/nftables.conf to load rules.
Enable at boot:
sudo systemctl enable nftables
Check Paths: traceroute or mtr should show the exit server IP only.
Kill Switch: nftables default policy “drop” acts as a kill switch when the VPN drops.
Split Tunneling: Add specific ip rule entries for networks you don’t want through the VPN.
Forgetting to disable NetworkManager’s DNS overrides.
Not allowing related connections in nftables, which breaks handshakes.
Mixing IPv4 and IPv6 without explicit rules.
wg show shows both tunnels up.
curl ifconfig.io returns exit server IP.
No traffic escapes if either interface goes down.
Using IVPN’s multihop with nftables gives you granular control over how your traffic flows. Instead of relying solely on the VPN client, you define the packet path, firewall policies, and DNS behavior yourself. This approach is more technical than running a simple client, but it yields a hardened setup with minimal leaks and a clear audit path.