We present the first version of Virtual & Invisible Private Network (VIPN), a novel low-latency, secure, and anonymous communication technology designed to overcome the limitations of existing network anonymization architectures. Traditional decentralized systems require trusting intermediary proxies in charge of relaying users' trafic. This reliance introduces significant vulnerabilities, including potential trafic attribution, man-in-the-middle attacks and sensitive information exposure if a relay is compromised. Additionally, these architectures often lack compatibility with all IP protocols and QoS; thus they fail to support modern applications efectively. In this paper, we review the shortcomings of current approaches and propose a new architecture that mitigates these risks. We evaluate the guarantees of our solution against various adversarial models and provide first insights from a real-world deployment. Finally, we highlight the current architecture limitations and future ongoing challenges.
While it can be used for criminal purposes, anonymity is essential for multiple reasons such as privacy protection, freedom of speech, investigations (law enforcement and journalism), and ifght against crime or foreign influence. Indeed, detecting and combating criminal networks and their operations, organized as an industry often on social networks or hidden forums, require extensive anonymous data collection capabilities. This involves using scrapers and avatars for targeted infiltration of social media platforms or forums. However, present anonymization solutions rely today on trusted third parties (TTP), particularly the relay, requiring a tradeof between anonymization quality and operational security. Ad hoc anonymization chains ofer full control but lack mass efect and raise attribution risks. On the contrary, common anonymization solutions (mass-market VPNs, residential proxies, Tor, I2P, etc.) blend users into CEUR Workshop
Proceedings published 2025-12-22
a larger users’ pool but present risks [
David Chaum laid the foundations of anonymous communications field in 1981 in Untraceable
electronic mail, return addresses, and digital pseudonyms [
From this seminal paper, subsequent research on anonymity networks has advanced
significantly, enabling the identification of four classes of anonymity networks [
For downstream, nodes decrypt onion layers until the destination is reached;
• random walks and DHT [
Mixnets. Vuvuzela [
Atom [
Rifle [
cMix [
Loopix [
Tor and Onion Routing. Tor [
connections for routing within the user’s social network.
GNUnet [
Octopus [
DCnets. Dissent [
P5 is an anonymous communication system that uses a tree-like structure to broadcast messages. Users are organized into subgroups linked to hierarchical nodes, which allows for eficient message dissemination. However, the hierarchical mode implies that topper position gets better performance in exchange of being more identifiable. Thus, P5 highlights the trade-of between communication eficiency and anonymity level.
CAR enhances privacy in wireless ad hoc networks, which are vulnerable to passive attacks and eavesdropping. Along a path, nodes are linked in a virtual chain where each node only knowing its immediate neighbors. In addition, CAR uses unicast-based broadcasting for route discovery, and data is exclusively transmitted along the established routes. This approach conceals node identities and protects against tracking and linking, providing robust privacy against various passive and some active threats.
Among the solutions presented in Section 2, our focus is put on the systems with an active
community of users while serving popular anonymization purpose such as VPNs (equivalent
to a deterministic single-hop mixnet), Tor network, I2P and Nym. All require making
tradeofs between quality of service and security which imply limitations. Here are few of these
limitations: consumer VPNs are TTPs, so compromising the VPN service operator gives full
content access; moreover VPN connectivity provider can easily perform network analysis
for deanonymization purposes. Tor, assimilated to a VPN cascade, remains exposed to trafic
analysis attacks [
With these limitations in mind, our goal is to design a technology that presents novel anonymity properties without impairing as much on users quality of experience. In this paper we address the specific issue of TTP in core anonymization networks’ architecture building block as it is an aspect that has so far been insuficiently covered by present solutions. We therefore designed a novel architecture that does not rely on any trusted third party at this level. Our design is based on a self reinforcement of security and anonymity properties to eliminate TTP at message routing level, thereby enhancing resilience against powerful adversaries. Because it ofers properties beyond sole anonymity and presents a spectrum of applications similar to VPN, we call this technology Virtual and Invisible Private Network (VIPN). This system will have to be improved to address trust in the management component of the system.
We consider the following threat actors, ordered from least to most powerful, who may attempt to deanonymize users, intercept or modify content, or alter VIPN behavior: i. Individual hacker: it may try diferent scripts to alter the normal VIPN behavior; ii. ISP: user’s ISP may identify trafic going through VIPN; iii. Core network operator: it can have access to several 1Invisible Internet Project (I2P), I2P’s Threat Model, 2010. Available at https://geti2p.net/id/docs/how/threatmodel#sybil, accessed on 22 May 2024. 2D. Hrycyszyn, Document the packet format, 2020. Available at: https://github.com/nymtech/sphinx/issues/35, accessed on 27 August 2024.
ISPs trafic; iv. Cloud provider: it can have access to several servers; v. Data center operator: it can have access to servers from several operators; vi. State: it can request access to several data center, as well as ISPs; vii. Global cooperation: it potentially has access to data from several colluded states.
We propose to study rigorously the network anonymity and security properties as detailed in
subsection 3.2, we pool threat actors into adversaries classes commonly used in the literature. As
for any anonymity network, we study the polynomially bounded global passive adversary (GPA).
This adversary is able to observe the entire network, the trafic between nodes and users. They
know the network topology and can carry out trafic analysis or passive network attacks such
as BGP-rerouting [
The primary adversary goal is to break honest anonymous users anonymity and security, i.e. to determine users’ identities, their contacts, and the messages they exchange. The second adversary goal is to perform a MITM attack inside the network overlay, no matter if anonymity is broken or not. Then, its third goal is to degrade network quality of service, by performing DoS, crashing nodes, trying to make the protocol deviate so that it stops working, etc.
As mentioned above, we describe and consider properties related to the core VIPN principles (i.e. network overlay architecture and protocol). We are not addressing other system component aspects such as interactions with the nodes’ directory and access control to this directory. In particular the two latter being TTP, they raise specific challenges that will be addressed in future papers. As a result, we focus only on the network overlay architecture including the route creation, between a VIPN user and one Online Service they want to access anonymously. Finally, similar to Tor’s onion services, VIPN can support a "tunnel" mode for direct communication between two users. This mode builds upon the “privacy mode” described in this paper and will be detailed in future works.
VIPN intends to guarantee the following anonymity properties, based on those defined in the
Pfitzmann and Köhntopp paper [
VIPN also should ofer several service goals: • Low latency and high-capacity: the network overlay should be suitable for low-latency and data intensive applications such as VoIP, instant messaging, file transfer, etc. • Scalability: as other anonymity networks, it should scale to serve large number of users by eficiently deploying new proxies if necessary. • Compatibility: as other anonymity networks, it should be IP compatible but contrary to most anonymity networks, it should be compatible with all transport protocols.
VIPN is made to be deployed over an IP network, to anonymize IP trafic using common transport protocols (TCP, UDP, ICMP) and its architecture relies on several complementary principles: i. A distributed network overlay composed of several proxies (also called nodes) operated by various entities (active users or partners similar to miners). Nodes relay protocol messages in a specific way, depending on their role in the transmission; ii. Multiple and user-defined complementary paths: Nodes are used at least on two complementary paths defined by the users’ device through its application (connector). iii. Packet anonymization and fragmentation: because VIPN relies on circuit routing, source public IP addresses are unnecessary and are therefore discarded to protect users anonymity. Anonymized IP packets are therefore fragmented into complementary "snowflakes" through a secret-sharing mechanism (currently the XOR logic operator with a randomly generated one-time pad); iv. Paths anonymous auto-discovery: paths are anonymously connected inside the network thanks to specific autodiscovery messages based on the aforementioned snowflake-based secret-sharing mechanism; v. A distributed exit node to asymmetrize the trafic, external communication is done through collaborative spoofing between two nodes chosen by the user, which helps prevent MITM attacks.
VIPN is made up of various elements necessary for its operation: • Nodes (proxies): servers forwarding the trafic. Those nodes can be categorized in diferent categories for a specific user route: – Holonode: node seen by the contacted online service. – S-Node: standard relay in the network. From the S-Node pool, a user selects a subset of nodes to perform specific functions for their session: ∗ Pu nodes: nodes close to the user, they act as entry point and therefore know the user’s IP address; ∗ Ps master node: node responsible for managing upstream trafic and relaying snowflakes for downstream trafic as well as to discover its slave; ∗ Ps slave node: relay to Ps master node snowflakes for upstream trafic and receives snowflakes from holonode for downstream trafic. • Nodes’ directory (currently an accepted trusted third party): directory containing the diferent nodes information and status. It is available only to users in users’ directories. • VIPN agent: software installed on a user’s device to anonymize it through the overlay. • VIPN Users directory (currently an accepted trusted third party): central databases containing user’s information and authorization for access control management. These directories users have access to nodes’ directory. VIPN includes this access control to comply with regulatory laws, but it is not required for achieving the system’s properties. To anonymize a device, VIPN agent needs to establish a route. This route consists of at least 5 nodes: 4 S-Nodes (including 2 Pu nodes, 1 Ps master, and 1 Ps slave) and 1 Holonode. Each route has two separate paths, each made up of several serialized circuits between the nodes.
There are several steps involved in creating this route, all based on the user choices (cf. figure 1): • Step 1: User selects at least 5 distinct nodes: 1 Holonode (H) and at least 4 S-nodes. • Step 2: User builds two circuits, one between himself and S-node 1 (S1) and one between himself and S-node 2 (S2). • Step 3: To complete the two disjoint paths (i.e.: paths where nodes cannot be part of the two paths), the user requests through his channels established on step 2 that two other circuits get created, one between S1 and S3, one between S2 and S4. • Step 4: S3 (master node, role defined by the user) searches for its slave (S 4), this is the auto-discovery step. Indeed, to prevent an observer on user-S3 path to be in a position to discover the second path, the user will not communicate itself S4 IP address to S3. It uses a key anonymity preserving autodiscovery scheme. This scheme includes following steps: i. User generates a token ( ) and builds an autodiscovery secret ( ) as follow: = | ℎℎ( | 3 | 4 ) | ; ii. User generate a one-time pad (_) and computes _ as follow: _ = _ ⊕ ; iii. User passes _ and _ respectively up to S3 and S4 through their respective paths; iv. S3 broadcasts _ to the whole network overlay. v. Because S4 holds _ it can recover the and knowing S3 is the sender confirms with guarantees that it needs to collaborate. In addition it discovers H. vi. S4 can now send _ to S3. S3 can then perform the similar operation and verify S4 legitimacy as well as discovering H. The bruteforce is prevented thanks to and the exchange through TLS of the diferent autodiscovery messages. • Step 5: S3, S4 and H can create circuits between each other to complete the route.
After the user creates their VIPN route (as explained earlier), they can use it to connect to online services. Here, we explain how they communicate with a service (cf. figure 2). • Steps 1 & 2. OTP encryption is used. User removes the source IP address from the metadata of the plain request, then produces a ciphertext by randomly generating a mask (same size of the request) which they XOR with their plaintext request (⊕ = ℎ). The mask is sent on one path of the route (S1-S3), the ciphertext on the other (S2-S4-S3). Mask and ciphertext are called snowflakes . • Step 3 & 4. Once both snowflakes are received by S 3, they are recombined ( ⊕ ℎ = ). S3 then fakes H’s IP address as the source in the IP packet header when sending the request to the service, alerts H that it will receive IP packets from Service, and then sends the IP packet over Internet. When it receives the request, Service does not know about S3 and sends its response to H. With this collaborative spoofing, VIPN distributes the exit node, so upstream and downstream trafic do not pass through a single node, preventing MITM attacks in the network overlay. • Steps 5 & 6. Because H has been warned by S3, it intercepts IP packets from Service and knows the associated session so it can put them in the proper circuits. Therefore, when the service replies, H intercepts the response and removes its IP address from the destination ifeld in the IP packet, fragments the same way as User into two new complementary snowflakes, and sends them on the two paths. Once User has received them, User XORs them back, adds its own IP address in the destination field and reinjects the trafic in its local network stack. This process allows multiple users to contact the same service, as the session identification relies on the source port used by the user. In case of a port collision, collaborative PAT (synchronized between S3 and H) handles the transformation. Finally to enhance security and make it harder to track trafic, all circuits between nodes are bidirectional and multiplexed through the same TLS-protected socket. However, we consider that the system must keep its properties if TLS gets broken.
With this architecture, no node has access to both the full content, User identity, and Service identity at the same time.
Specifically: i. S 1 and S2 knows User, but not Service; ii. S3 knows Service but not User; iii. S4 knows neither User nor Service; iv. H knows only Service. Additionally, no node can know the entire route, regardless of its computing power. User remains the only one who controls and knows the full route. As for the trafic content, no single node can access all of it since it is mostly protected by fragmentation or asymmetrization:: i. S1 and S2 only see snowflakes; ii. S 3 only sees upload trafic; iii. S 4 route only snowflakes; iv. H only has access to download trafic.
Polynomially bounded global passive adversary (GPA). In the bounded GPA case, VIPN provides sender anonymity. The attacker might know a user is connected to a node since it knows all the nodes, but it cannot track how the user is anonymized because it cannot follow the trafic. Indeed, it cannot break the TLS encryption between nodes or access the routing table to trace the trafic. To reduce sender-recipient unlinkability, the attacker could theoretically monitor inbound and outbound trafic. However, the trafic is asymmetrized, so the attacker cannot distinguish users. Regarding secrecy, the TLS encryption is unbreakable by this attacker, so the messages remain safe within the overlay. As for resistance to transparent MITM attacks, the user is passive and cannot modify the packets. Finally, the protocol does not ofer sender unobservability by default. However, if the user chooses to send dummy packets, the attacker cannot tell them apart from real packets, as the connection between users and nodes is TLS-protected.
Local polynomially bounded and unbounded attacker. As a reminder, VIPN ofers unique features compared to other anonymization networks. Besides ensuring that no node knows both the User and the Service of a specific session at the same time, it also prevents a local attacker from knowing if a specific user is contacting a specific service. This guarantees sender-recipient unlinkability. VIPN secures both the content and the operation: i. regardless of computing power, nodes S1, S2, S4, and any observer on these circuits cannot access the content; ii. even if S3 and H see User trafic, they can only access upstream or downstream flows, preventing a MITM attack. Thus, against a local corrupt node, VIPN is transparent MITM resistant for each node’s role. Secrecy is maintained in all cases, as no node has access to both upstream and downstream flows. Even with unbounded nodes, snowflakes preserve secrecy due to the one-time pad encryption. Regarding sender unobservability, it is ensured in all cases because nodes only see snowflakes when they know the user, and due to the OTP encryption, they cannot decrypt the packets. Finally, sender anonymity is preserved in all cases, as no node can know how the user is anonymized. Pus know the users but not H, while Pss and H know the H but not the associated users.
Polynomially bounded global active adversary (GAA). If the attacker has deployed probes on all network elements but cannot decrypt TLS, they will not be able to recombine the snowflakes, keeping the secrecy intact. Additionally, the attacker cannot actively modify the trafic, even if they intercept and hold back all the data, maintaining VIPN’s transparent MITM resistance. However, the attacker can still analyze trafic by adding delays to the snowflakes, which could break both sender anonymity and sender-receiver unlinkability. Adding delays is more complex than in traditional anonymity networks because the complexity increases with the trafic of other snowflakes. Active attacks on one path will not afect the exit trafic on another path, as the paths have diferent lengths. Also, the attacker
cannot watermark the snowflakes since they cannot access the content to generate a fake snowflake (snowflakes are protected by TLS 1.3). As a result, we consider our proposal partially resistant to this type of attack on sender anonymity and sender-receiver unlinkability. Finally, regarding sender unobservability, we are in the GPA case where the protocol does not ofer it by default. However, if the user decides to send dummy packets, the adversary cannot tell them apart from real ones, since the connection between users and nodes is protected by TLS. Polynomially unbounded global active adversary. If the attacker has deployed probes on all network elements and can decrypt TLS, they can access the snowflakes and, being unbounded, gain access to the full message. From this message, they can also determine the number of circuits, allowing them to break all anonymity properties, including sender anonymity, senderrecipient unlinkability, and sender unobservability. Regarding secrecy, the attacker can access and decrypt the message if it is encrypted. To manipulate the trafic and break transparent MITM resistance, the attacker could theoretically synchronize their clock to make the modified trafic intelligible. 5.1.3. Summary In Table 1, we summarized the guarantees ofered by VIPN against the studied threat actors. VIPN proves to be robust and efectively maintains the desired properties against both passive and local adversaries. However, it is not fully resistant to global active adversaries, although the bounded one is blocked in many cases due to the architecture. This remains acceptable as these adversaries would need to: i. deploy probes across the overlay, requiring collaboration or infiltration in foreign countries; ii. store all overlay trafic, which requires significant storage capacity; iii. decrypt the trafic, even in real time, if the attack is time-sensitive; iv. recombine the right snowflakes, which requires substantial computing power (the recombination is a combinatorial problem that follows a power law based on the number of snowflakes in the overlay), and there is no guarantee that the elements will be coherent due to OTP encryption. Finally, the theoretical approach does not account for the time needed to break these guarantees.
X means that the property is verified.
X* means that the property is not ofered by default but is verified if the user sends useless packets.
~ means that the property is partially verified: it is verified on the basis of an uncalculated minimum quantity of network trafic processed by the adversary.
Since global active adversaries are not fully realistic at present, especially with polynomially unbounded corruption power, this initial evaluation will be followed by a future paper. The upcoming paper will explore an additional adversary capable of corrupting only a partial number of nodes. This will help demonstrate that if the user trusts a certain percentage of nodes in their route, the guarantees remain intact, rather than succumbing to the efects of a GAA. The future work will also investigate the time needed for a bounded GAA to execute an attack.
VIPN is live on public Internet since early 2022. This public deployment includes global validation of the possibility to deploy collaborative spoofing over several cloud operators (i.e.: spoof and receive answers); this was quite challenging because by default operators blocks the spoofing in order to prevent malicious usage of their IPs. For VIPN the spoofed IPs are part of the overlay.
As of late August 2025, VIPN is deployed over 45 nodes in Europe across 11 countries and more are added each month depending on users’ demand and code maturity (for comparison Tor, created 20 years ago, has currently around 8000 relays and bridges but started with 32 relays). Each node is currently connected with at least 300Mbps/300Mbps links, and one half of the nodes on 10 Gbps/10 Gbps. The number of users or sessions on nodes varies and is dificult to monitor as we do not want to create hints for any observer but VIPN currently has over 1500 subscribers, i.e. professional or individual user with an active account.
Users reported to use VIPN for various purposes such as web browsing, obtaining dynamic ifxed IP list, access to TOR, connecting to their WebRTC applications, access censured content from foreign countries, etc. The average speed reported with fiber is around 100 Mbps, with peaks at 250 Mbps. For example to reach a Netherlands IP over Ethernet (via France and the UK), latency is about 40 ms. In lab tests, launching VIPN locally without any physical routing latency, resulted in a 2 ms increase compared to the direct route. In comparison, a dedicated OpenVPN session showed an added 31 ms of latency. This latency contributes to the bandwidth limitations, which are also afected by the current code version, node capacities, and the use of TCP over TLS 1.3, which is limited to 10-20 Gbps on standard computers. Since November 2023 and a 1000% increase in users, we have faced no abuse issues and users have reported only few captchas and blocked websites, alongside those with predefined geographic limitations.
Several additional risks have been identified that could weaken the system’s anonymity. • Trafic analysis : the system theoretically remains vulnerable to trafic analysis, even in the presence of collaborative spoofing, particularly if adversaries control a significant portion of the nodes or communication flows. To mitigate this threat, we consider integrating: mechanisms inspired by Loopix, such as cover trafic; integrate variable padding in snowflakes; leveraging the possibility to split parallely trafic across multiples routes; as well as developing agent with node capabilities to hide if trafic is related to this user or only relaying others’ trafic. • Denial-of-service: the risk of denial-of-service attacks, especially through the exposure of
IP addresses associated with active nodes is existing due to the centralize nodes database.
To address this, we intend to leverage architectures based on random walks and distributed hash tables (DHTs), explore entry proxy-based solutions such as Tor Snowflake and bridge, and introduce nodes with restricted dissemination capabilities. • Fingerprints: even if the trafic is caught before going to the overlay (intermediary nodes are seeing snowflakes), some networking indicators such as the TTL or TCP options may ifngerprint the trafic to an observer as they are afected by the spoofing mechanism. Even if this is probably limited, a dedicated study on this subject will help to give insights on how the trafic must be modified (either at user or at Ps_master to be coherent before going through the overlay or before leaving it (e.g.: based on information related to the distance between Ps_master and H to the Service).
Firstly, VIPN proves robustness against passive and local threats but only partially resists GAA, whose attacks are limited by practical constraints. Future work will focus on adversaries corrupting only some nodes, showing that guarantees hold if enough nodes remain trusted, and will evaluate attack feasibility over time. While VIPN improves resistance to trafic alteration, it still relies on TTP at systemic level, which is a study accepted limitation: i. as the directories managing node or user access remain centralized, they could be manipulated to mislead users or launch attacks. A solution is to implement an anonymity-preserving access control system but also the decentralization; ii. if node operators are not running the oficial VIPN protocol and code, vulnerabilities could be introduced to undermine invisibility. Additionally, providing users with a clear overview of the overlay status to help them make informed decisions when defining their route without compromising their anonymity or the anonymity of other users is a complex challenge. This requires developing metrics based on parameters like network heterogeneity and route duration, which must be disclosed while maintaining privacy. Furthermore, the current work does not ofer a formal analysis of the protocol; the properties are only proven through analysis of the architecture models. Therefore, if the implementation or protocol messages are lfawed, attacks remain possible. Finally, building an anonymity network involves more than only protocol and architecture. Today, there are various ways to detect and block trafic from proxies, based on factors like communication reactiveness, IP reputation, IP provider, etc. As a result, large-scale deployment of VIPN needs also to address these IP marking challenges.
This work was supported by the France 2030 cybersecurity acceleration strategy.
During the preparation of this work, the authors used Le Chat and ChatGPT-4 in order to: Grammar and spelling check, Text Translation, Improve writing style, Paraphrase and reword. After using these tools, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content.