[topdancing]

This isn't how it works. If you actually pull down one of their multihop configurations - you'll see:

- the WireGuard public key for server 2

- the IP address for server 1

- a unique port for server2 on server 1

So all they're doing is a standard iptables redirect to the second host (which may or may not itself be under a WireGuard tunnel).

[faern]

Your description is correct for the configuration files, yes! But it's not correct for the app. There are multiple ways of doing multihop with Mullvad. The config files use a simple redirect where each server has a unique port it's reachable over on all other servers. That's what the config files are doing.

But the app actually has a wg tunnel inside another wg tunnel. If you (on Linux) run `wg` (as root) in a terminal when it's connected with multihop you will see that it has two peers set up for the `wg-mullvad` interface, one peer is routed through the other.

So the only thing that SE4 can see is encrypted WireGuard traffic headed for NL1.

[justsomehnguy]

Well, I stand corrected, because I relied on their promo description. *shrug_emoji*

I replaced the diagram in the previous comment, take a look.

[faern]

This can be very confusing indeed, since there are multiple ways of doing multihop. Please see my description in https://news.ycombinator.com/item?id=31012071.

The guide at https://mullvad.net/en/help/wireguard-and-mullvad-vpn/ only talks about how the config files does it. Which is completely different from how the app does it!