Douglas Crawford

Douglas Crawford

February 6, 2018

Some VPN providers offer a VPN + Tor feature. In this article, I discuss how such features work and what the implications of using them are.

Take a look below at the top 5 Tor VPNs that have been picked out by our experts. Scroll below the providers to find out more about using a VPN with Tor.


9.8/10.0

AirVPN Homepage
PROS:
  • No logs at all
  • VPN through Tor
  • Transparent service
  • Accepts Bitcoin
  • P2P: yes
CONS:
  • Techiness does put people off
  • Customer support could be better
  • Limited number of servers worldwide

This Italian provider offers among the best security and anti-censorship technology available on the web, allowing both SSH and SSL tunneling to evade government blocks. Add in no logs, some of the strongest encryption around, and a Windows, Mac OSX and Linux client with built-in DNS leak protection and kill switch, and AirVPN should be on the top of every privacy fanatic’s wish list.

In keeping with its usual technical excellence, AirVPN is one of the only two VPN providers I know of to offer VPN through Tor (plus it provides instructions for connecting Tor through VPN using the Tor Browser). The main problem with AirVPN is that its service is definitely aimed at techies, which despite initial interest does appear to put many of our readers off.

Additional features: Real-time user and server statistics, VPN through SSL and SSH tunnels, very reliable, open source client with internet kill switch and DNS leak protection, 3-day free trial, dynamic port forwarding, 3 simultaneous connections Best for VPN through Tor!

Try the Best VPN Service Today!

Visit AirVPN »30 day moneyback guarantee

9.2/10.0

PrivateVPN Homepage
PROS:
  • VPN through Tor
  • 30-day money-back guarantee
  • Full DNS leak protection
  • 6 simultaneous connections
  • Excellent mobile apps
CONS:
  • No much

PrivateVPN is a zero-logs Swedish provider with 80+ servers in 52 countries around the world. It features both a firewall-based system kill switch and a per-app kill switch, which pretty neat. Full IPv4 and IPv6 DNS leak protection is also built-in to its client.

Like AirVPN, PrivateVPN offers VPN over Tor, allowing for true anonymity while online. Unlike AirVPN, though, this functionality is not built into the client and requires some manual configuration.

We have been particularly impressed by PrivateVPN’s high level of customer service, which even features remote installation for technophobes! Up to a generous 6 simultaneous devices are permitted, and port forwarding plus HTTPS and SOCKS5 proxies are a nice bonus.

With a 30-day no-quibble money back guarantee, why not give PrivateVPN a try?

Additional features: servers in 52 countries, works with US Netflix and iPlayer, kill switch and auto-connect, website available in English, German, Dutch, and Swedish.

8.8/10.0

Privatoria Homepage
PROS:
  • No logs
  • Tor through VPN
  • Accepts Bitcoin
  • Android app
  • Cheap
CONS:
  • Slow
  • No custom desktop client

This Czech-based provider is notable for being very wallet-friendly, but is otherwise fairly barebones (for example it has no custom desktop VPN client, although it does have a promising Android app with secure email and chat built-in). Privatoria’s speed performance is a little underwhelming, but it makes up for this somewhat by keeping no logs and accepting Bitcoin payments (and did I mention that it’s cheap!) Like NordVPN, Privatoria lets you route your entire internet connection Tor through VPN via an .ovpn configuration file.

Additional features: 3 simultaneous connections, P2P: yes (on most servers).

7.2/10.0

TorVPN Homepage
PROS:
  • Tor through VPN
  • Tor "hybrid mode" (insecure)
  • Cheap
  • Strong encryption
  • Dynamic port forwarding
CONS:
  • Based in UK (legally)
  • Extensive connection logs
  • P2P: no

Although it operates out of Hungary, TorVPN is based in the UK, and is therefore required to keep quite extensive connection logs.  It does, however, use excellent encryption and is very cheap. Interestingly, in addition to offering “regular” Tor through VPN (similar to NordVPN and Privatoria), TorVPN offers a hybrid node that allows you to access .onion websites using its own Tor DNS server. Even TorVPN, however, freely admits this is very insecure!

6.6/10.0

PrivateInternetAccess Homepage
PROS:
  • No logs – proven in court!
  • Cheap
  • Accepts Bitcoin
  • Great OpenVPN encryption
  • Client features kill switch and DNS leak protection
CONS:
  • No free trial or money back guarantee
  • US-based company
  • Apple users not so impressed

PIA is based in the US, so is not a provider for the more NSA-phobic out there. However, it keeps no logs, which is a claim that it has proven in court ! It is not common to have such definite proof that the VPN does what it says it does when it comes to logs, so well done PIA!

And although optional, its security can be first rate. Its desktop software supports multiple security options, aVPN kill switch, DNS leak protection, and port forwarding.

Up to 5 simultaneous connections are permitted. Its Android client is almost as good, and PIA boasts excellent connection speeds. We should, however, note that Apple users seem to have a less positive view of this service.

PIA has servers located in the UK and 29 other countries. PIA does not specifically support Tor, but it is an excellent service, and using Tor Browser with the VPN connected is more secure than most of the dedicated Tor solutions offered by other VPNs, anyway.

How We Picked the Top Tor VPN for 2018

Here at BestVPN.com, we’re fortunate to have some of the VPN industry’s foremost experts as staff members. Based on our detailed VPN reviews and data collected as part of our BestVPN.com Awards process, we’ve carefully considered a range of factors that go into making a great VPN service for Tor.

The VPNs on this list all offer some form of special Tor + VPN functionality. In all but one case, this means Tor through VPN (much more on this in a bit). In ordering this list we have therefore taken into account other factors, such as speed performance, encryption strength, privacy policy, legal jurisdiction (not the UK!), price, free trial or money-back guarantee, and suchlike.

We recognize that due to the versatility of VPN technology, VPN benefits for one user may miss the mark for another. As such, these top five VPN for Tor picks are a consensus choice made after much careful deliberation by the BestVPN.com staff.

It is worth stressing, however, that Tor over VPN is of debatable benefit. If you do choose to go down this route, please be aware it is more secure to connect to any good VPN and then access the web using the Tor browser than using the kind of setup offered by these VPNs.

For more information about how we review VPNs visit our BestVPNs.com’s review process overview. 

What is Tor?

The name Tor originated as an acronym for The Onion Router, and refers to the way in which data encryption is layered. When using Tor:

  • Your internet connection is routed through at least 3 random “nodes” (volunteer run servers)
  • These nodes can be located anywhere in the world
  • The data is re-encrypted multiple times (each time it passes through a node)
  • Each node is only aware of the IP addresses “in front” of it, and the IP address of the node “behind” it
  • This should mean that at no point can anyone know the whole path between your computer and the website you are trying to connect to (even if some nodes along the path nodes are controlled by malicious entities)

The real beauty of the Tor system is that you do not have to trust anyone. It is designed so that no-one can discover your true identity, and (if you connect to a secure website) no-one can access your data. For a detailed look at Tor, please check out our full Tor Review.

What is a VPN For Tor?

A VPN is a way to connect your computer or mobile devices securely to a “VPN server” run by a commercial VPN provider. Your computer then connects to the internet via this VPN server.

  • The VPN encrypts all data passing between your device and the VPN server. This is sometimes referred to as an “encrypted tunnel.” The VPN hides your data from your Internet Service Provider (ISP), so that it can’t spy on what you do online.
  • VPN providers usually operate server locations around the world. This is great for avoiding censorship, as you can simply connect to a server located in a country where there is no censorship.
  • When you connect to the internet via a VPN server, anyone on the internet will see the Internet Protocol (IP) address of the VPN server, not your real IP.

What are main differences between Tor and VPNs?

Tor provides a very high degree of true anonymity, but at the cost of day-to-day internet usability. Using a VPN can provide a high degree of privacy, but should never be regarded as anonymous because your VPN provider will always know your true IP address.

A VPN does, however, provide a much better day-to-day internet experience than Tor, and because of this, is a much more flexible general-purpose privacy tool.

Tor, on the other hand, is a vital tool for that tiny subset of internet users who really require the maximum possible anonymity. Thanks to being free, Tor can also make quite a handy anti-censorship tool. The only problem being that many repressive governments go to great lengths to counter this by blocking access to the network (to varying degrees of success).

  • VPNs are faster than Tor, and are suitable for P2P downloading. The major downside (and reason VPNs are said to provide privacy rather than anonymity) is that it requires you trust your VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. a VPN also allows you to easily spoof your geographic location.
  • Tor is much slower, is often blocked by websites, and is not suitable for P2P. But it does not require that you trust anybody, and is therefore much more truly anonymous than a VPN. Malicious exit nodes present a real threat when using Tor.

Using Tor and a VPN Together

VPNs and can be used together. In theory, this can provide an extra layer of security and privacy, but this is a hotly debated point – especially when it comes to Tor though VPN setups.

The Tor network is designed from the ground-up to provide security and anonymity. there is a very strong argument that adding a VPN to the equation actually weakens the setup.

That said, there are also good arguments that using Tor and a VPN together is beneficial, and that it mitigates some of the drawbacks of using either technology exclusively.

One thing that is certain is that using Tor and a VPN together is slow. You will suffer the combined speed hit of using both Tor and a VPN.

There are two basic ways that Tor and a VPN can be combined. You can connect to your VPN then route the connection through the Tor network (Tor through VPN), or you can connect to the Tor network before routing your connection through your VPN…

Tor Through VPN

This is the most common Tor + VPN setup. In this configuration you connect first to your VPN server, and then to the Tor network before accessing the internet:

Your computer -> VPN -> Tor -> internet

Although most of the providers listed above offer to make such a setup easy, this is also what happens when you use the Tor Browser or Whonix (for maximum security) while connected to a VPN server. It means that your apparent IP on the internet is that of the Tor exit node.

Pros:

  • Your ISP will not know that you are using Tor (although it can know that you are using a VPN).
  • The Tor entry node will not see your true IP address, but the IP address of the VPN server. If you use a good no-logs provider this can provide a meaningful additional layer of security.
  • Allows access to Tor hidden services (.onion websites).
  • Your VPN provider cannot see what you get up to on the internet if you use the Tor Browser.

Cons:

  • Your VPN provider knows your real IP address
  • No protection from malicious Tor exit nodes. Non-HTTPS traffic entering and leaving Tor exit nodes is unencrypted and could be monitored
  • Tor exit nodes are often blocked

Important note: With the exception of AirVPN and PrivateVPN, the VPNs listed above offer VPN through Tor via an OpenVPN configuration file which transparently routes your data from their VPN servers to the Tor network.

  • This means that your entire internet connection benefits from Tor through VPN (not just the Tor Browser).

Please be aware, however, that this is nowhere near as secure as connecting to a VPN and using the Tor browser.

  • The Tor Browser will Tor-encrypt your data on your desktop, which prevents your VPN provider from seeing it. The Tor via an OpenVPN configuration file method means trusting a third party (your VPN provider) to Tor-encrypt your data for you. This also means that (as with any normal VPN) your VPN provider can see your data.
  • The Tor Browser has been “hardened” for improved privacy security. It is also the best defense against browser fingerprinting For more details on this please see my Tor Review.

So if you want to use Tor through VPN, for maximum security use the Tor Browser, not the transparent routing method.

VPN Through Tor

This involves connecting first to Tor, and then through a VPN server to the internet:

Your computer -> encrypt with VPN -> Tor -> VPN -> internet

This setup usually requires you to configure your VPN client to work with Tor. The only VPN providers I know of to support this is AirVPN and PrivateVPN. It is also possible using a Tor router (see below). Your apparent IP on the internet is that of the VPN server.

Pros:

  • Because you connect to the VPN server through Tor, the VPN provider cannot see your real IP address – only that of the Tor exit node. When combined with an anonymous payment method (such as properly mixed Bitcoin) made anonymously over Tor, this means the VPN provider has no way of identifying you.
  • Protection from malicious Tor exit nodes, as data is encrypted by the VPN client before entering (and exiting) the Tor network (although the data is encrypted, your ISP will be able to see that it is heading towards a Tor node).
  • Bypasses any blocks on Tor exit nodes.
  • Allows you to choose server location (great for spoofing where you are).
  • All internet traffic is routed through Tor (even by programs that do not usually support it)
  • You can open ports through the VPN (is the VPN provider supports this feature).

Cons:

  • Your VPN provider can see your internet traffic (but has no way to connect it to you)
  • If an adversary can compromise your VPN provider, then it controls one end of the Tor chain. Over time, this may allow it to pull off an end-to-end timing or other de-anonymization attacks. Any such attack would be very hard to perform, and if the provider keeps logs it cannot be performed retrospectively. But this is a point the Edward Snowden’s of the world should consider.

This configuration allows you to maintain complete (and true) anonymity. But so does using Tor on its own.

Remember that to maintain anonymity it is vital to always connect to the VPN through Tor (if using AirVPN this is performed automatically once the client has been correctly configured).  The same holds true when making payments or logging into a web-based user account.

Using a VPN or Tor Router

If you connect to a VPN router and then use the Tor Browser, you have a straight-forward Tor through VPN setup.

There also exist some special Tor routers (for example the Anonabox). If you connect to one of these and also use a VPN on your device, then you have a VPN through Tor setup. Your data is routed through the Tor network before you connect to the VPN server. This means your real IP address is hidden from the VPN provider.

Using Tor Inside Tor

In theory, it is possible to run a Tor connection inside another Tor connection. For example by using AirVPN’s VPN through Tor feature together with the Tor Browser, using a service that routes your VPN connection to the Tor network together with the Tor Browser, or connecting to a Tor router and using the Tor browser.

This not a good idea. At best it will provide no additional benefit, as all traffic is going through the Tor network anyway.

At worst, “an infinite connection loop occurs because communication between Tor and the guard node (the first node of each circuit) will fall back to the VPN (causing errors like Inactivity timeout, recv_socks_reply: TCP port read timeout expired: Operation now in progress, Assertion failed at misc.c:785).”

Malicious Exit Nodes

When using Tor, the last exit node in the chain between your computer and open internet is called an exit node. Traffic to or from the open internet (Bob in the diagram below) exits and enters this node unencrypted. Unless some additional form of encryption is used (such as HTTPS), this means that anyone running the exit node can spy on users’ internet traffic.

This is not usually a huge problem, as a user’s identity is hidden by the 2 or more additional nodes that traffic passes through on its way to and from the exit node. If the unencrypted traffic contains personally identifiable information, however, this can be seen by the entity running the exit node.

Such nodes are referred to as malicious exit nodes, and have also been known to redirect users to fake websites.

HTTPS connections are encrypted, so if you connect to an HTPPS secured website (https://) your data will be secure, even it passes through a malicious exit node.

A closed padlock icon in your browser’s URL bar indicates that a website is secured by HTTPS

End-to-end Timing (e2e) Attacks

This is a technique used to de-anonymize VPN and Tor users by correlating the time they were connected to the timing of otherwise anonymous behavior on the internet.

An incident where a Harvard bomb-threat idiot got caught while using Tor is a great example of this form of de-anonymization attack in action. It is worth noting, though, that the culprit was only caught because he connected to Tor through the Harvard campus WiFi network.

On a global scale, pulling off a successful e2e attack against a Tor user would be a monumental undertaking. But possibly not impossible for the likes of the NSA, who are suspected of running a high percentage of all the world public Tor exit nodes.

If such an attack (or other de-anonymization tactic) is made against you while using Tor, then using VPN as well will provide an additional layer of security.

Is Tor + VPN worth doing?

As already mentioned, this is a hotly debated subject. Using a good no-logs VPN with Tor (in both Tor through VPN and VPN through Tor setups) provides an additional obstacle that an adversary must overcome. As discussed above, each setup also provides other perks.

On the other hand, it introduces a potentially unreliable third party into a setup that is the most secure and anonymous way to access the internet yet devised.

My personal feeling is that VPN through Tor of the kind offered by AirVPN is a much more interesting proposition than Tor through VPN.  It allows for complete anonymity while using a VPN, and will protect you from malicious Tor exit nodes.

Tor through VPN means that your VPN provider knows who you are, although as with VPN through Tor, using a trustworthy provider who keeps no logs will provide a great deal of retrospective protection.

Is it worth the hassle over just using Tor on its own? That is for you to decide. One thing that using Tor + VPN is not useful for, though, is providing of the extra layer of encryption. Both Tor and good OpenVPN encryption are very strong on their own, so “doubling up” provides no meaningful additional benefit.

How to Choose a VPN for Tor

If you want service that supports VPN through Tor then you have no choice but AirVPN or PrivateVPN. Luckily, they are both  great providers if you are more technically inclined. The other services on the list above are featured in this article because they support Tor through VPN using transparent routing.

Many may like this feature as it can be convenient and allows you to access .onion sites using your regular browser. Do remember, however, that this is not very secure. It is much more secure and private to use any secure and no-logs VPN with the Tor Browser. Just run the Tor Browser after a VPN connection has been established.

If you want the best free VPN for Windows, Mac or Linux etc. take a look at our best free vpn services guide.

Conclusion

Whichever configuration you choose, combining VPN and Tor can provide some meaningful privacy and security benefits.

I do, however, encourage any user who requires a very high level of security to carefully weigh up the pros and cons of each setup in relation to their particular needs. You should also carefully consider whether using Tor and a VPN together offers any real advantage over just using Tor on its own.

If you’re looking for a cheap VPN service that is also secure there are plenty of VPNs out there, take a look at our cheap VPN page.