Using VPN and Tor together

Although in many ways very different, both VPN and the Tor anonymity network use encrypted proxy connections in order to hide users’ identities (VPN is useful for much more than this, but privacy is a core feature of the technology).

We also have an expanded version of this article which examines some VPN providers that offer Tor functionality as part of their service.

  • VPN is faster than Tor, and is suitable for P2P downloading. The major downside (and reason VPN is said to provide privacy rather than anonymity) is that it requires you trust your VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.
  • Tor is much slower, is often blocked by websites, and is not suitable for P2P, but it does not require that you trust anybody, and is therefore much more truly anonymous.

The cool thing is that VPN and Tor can be used together in order provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside of doing so combines the speed hit of both technologies, making connecting in this way secure… but slow.

It is also important to understand the difference between connecting to Tor through VPN and connecting to VPN through Tor…

Tor through VPN

In this configuration you connect first to your VPN server, and then to the Tor network before accessing the internet:

Your computer -> VPN -> Tor -> internet

Although some of the providers listed above offer to make such a setup easy, this is also  what happens when you use the Tor Browser or Whonix (for maximum security) while connected to a VPN server, and means that your apparent IP on the internet is that of the Tor exit node.


  • Your ISP will not know that you are using Tor (although it can know that you are using VPN)
  • The Tor entry node will not see your true IP address, but the IP address of the VPN server. If you use a good no-logs provider this can provide a meaningful additional layer of security
  • Allows access to Tor hidden services (.onion websites).


  • Your VPN provider knows your real IP address
  • No protection from malicious Tor exit nodes. Non-SSL traffic entering and leaving Tor exit nodes is unencrypted and could be monitored
  • Tor exit nodes are often blocked
  • We should note that using a Tor bridge such as Obfsproxy can also be effective at hiding Tor use from your ISP (although a determined ISP could in theory use deep packet inspection to detect Tor traffic).

Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer VPN through Tor via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from VPN through Tor.

Please be aware, however, that this is nowhere near as secure as using the Tor browser, where Tor encryption is performed by the Tor servers, and not on your desktop (as is the case with transparent proxies).  It is also possible that with transparent proxies your provider could intercept traffic before it is encrypted by the Tor servers.

VPN and Tor

For maximum security when using Tor through VPN you should always use the Tor browser

VPN through Tor

This involves connecting first to Tor, and then through a VPN server to the internet:

Your computer -> encrypt with VPN -> Tor -> VPN -> internet

This setup requires you to configure your VPN client to work with Tor, and the only VPN providers we know of to support this are AirVPN and BolehVPN. Your apparent IP on the internet is that of the VPN server.


  • Because you connect to the VPN server through Tor, the VPN provider cannot ‘see’ your real IP address – only that of the Tor exit node. When combined with an anonymous payment method (such as properly mixed Bitcoins) made anonymously over Tor, this means the VPN provider has no way of identifying you, even if it did keep logs
  • Protection from malicious Tor exit nodes, as data is encrypted by the VPN client before entering (and exiting) the Tor network (although the data is encrypted, your ISP will be able to see that it is heading towards a Tor node)
  • Bypasses any blocks on Tor exit nodes
  • Allows you to choose server location (great for geo-spoofing)
  • All internet traffic is routed through Tor (even by programs that do not usually support it).


  • Your VPN provider can see your internet traffic (but has no way to connect it to you)
  • Slightly more vulnerable to global end-to-end timing attack as a fixed point in the chain exists (the VPN provider).

This configuration is usually regarded as more secure since it allows you to maintain complete (and true) anonymity.

Remember that to maintain anonymity it is vital to always connect to the VPN through Tor (if using AirVPN or BolehVPN this is performed automatically once the client has been correctly configured). The same holds true when making payments or logging into a web-based user account.

Malicious exit nodes

When using Tor, the last exit node in the chain between your computer and open internet is called an exit node. Traffic enters and exits this node unencrypted (unless some additional form of encryption is used), which means that anyone running the exit node can spy on users’ internet traffic.

Tor-onion-network exit node

This is not usually a huge problem, as a user’s identity is hidden by the 2 or more additional nodes that traffic passes through on its way to and from the exit node. If the unencrypted traffic contains personally identifiable information, however, this can be seen by the entity running the exit node.

Such nodes are referred to as malicious exit nodes, and have also been known to redirect users to fake websites.

SSL connections are encrypted, so if you connect to an SSL secured website (https://) your data will be secure, even it passes through a malicious exit node.

bestvpn https

End-to-end timing attacks

This is a technique used to de-anonymize VPN and Tor users by correlating the time they were connected, to the timing of otherwise anonymous behavior on the internet.

An incident where a Harvard bomb-threat idiot got caught while using Tor is a great example of this form of de-anonymization attack in action, but it is worth noting that the culprit was only caught because he connected to Tor through the Harvard campus WiFi network.

On a global scale, pulling off a successful e2e attack against a Tor user would be a monumental undertaking, but possibly not impossible for the likes of the NSA, who are suspected of running a high percentage of all the world public Tor exit nodes.

If such an attack (or other de-anonymization tactic) is made against you while using Tor, then using VPN as well will provide an additional layer of security.

So which is better?

VPN through Tor is usually considered more secure because (if the correct precautions are taken) it allows true anonymity – not even your VPN provider knows who you are. It also provides protection against malicious Tor exit nodes, and allows you to evade censorship via blocks on Tor exit nodes.

You should be aware, however, that if an adversary can compromise your VPN provider, then it controls one end of the Tor chain. Over time, this may allow the adversary to pull off an end-to-end timing or other de-anonymization attack. Any such attack would be very hard to perform, and if the provider keeps logs it cannot be performed retrospectively, but this is a point the Edward Snowden’s of the world should consider.

Tor through VPN means that your VPN provider knows who you are, although as with VPN through Tor, using a trustworthy provider who keeps no logs will provide a great deal of retrospective protection.

Tor through VPN provides no protection against malicious exit nodes and is still subject to censorship measures that target Tor users, but does mean that your VPN provider cannot see your internet traffic content…

VPN and Tor Conclusion

Whichever configuration you choose, combining VPN and Tor will improve your privacy and security, and goes some way towards addressing weakness in using either technology as a stand-alone solution.

I do, however, encourage any user who requires a very high level of security to carefully weigh up the pros and cons of each setup in relation to their particular needs. Under most circumstances, for example, using VPN through Tor provides almost perfect anonymity, but the fact that the VPN acts as a fixed end-point for Tor does mean that under some circumstances such a setup could potentially become a liability.

It is also worth remembering that any VPN user can run Tor through VPN simply by running the Tor Browser after their VPN connection has been established (and this is more secure than using the transparent proxy method offered by NordVPN, Privatoria and TorVPN).

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

27 responses to “Using VPN and Tor together

  1. thanks for your information.

    I have a question, how much is the network speed affected? for example, i am using a conection of 100Mbps, and i am planning to use the tor -> vpn -> tor setup.

    how much will my speed downgrade? to 60Mbps?

    thanks for your time.

    1. Hi Maracas,

      So I just did some very quick tests using my 50 /3Mbs UK connection (using a powerline adapter):

      No VPN: 34.3/2.9 Mbs – a little slow (don’t know if this is the fault of my powerline adapter or ISP, but doesn’t matter as it’s the relative speeds that count).
      Connected to AirVPN (NL server): 22.8/2.7 Mbs
      Connected Tor -> AirVPN : 3.1/2.1 Mbs
      Connected Tor -> AirVPN -> Tor: 2.8 Mbs / 333 Kbps

      The Tor network is very slow.

  2. Hi guys

    Can you do the following……
    Connect to your VPN…..Then Tor and Then another VPN (One that accepts bitcoin payments)

    This will be slow but from my understanding you are completely encrypted the who way through and a complete Ghost.

    I guess you are never really fully invisible. To set up a bitcoin wallet you will most likely need a gmail account and a mobile phone number so there are always possibily ways of tracking you down but I here the VPN to TOR to VPN although very slow is a very good way to be 99.9999% an encrypted cyber ghost. Any opinions 🙂

  3. Hi Douglas

    I am actually using NordVPN but i am really confused about the use of Tor over VPN feature they offer …i did talk to live chat support and the guy told me that if i am connected to the Tor over VPN server i cannot use the Tor browser (have a screenshot of the chat)…
    This is confusing cause when i did buy the license the support told me that first i need to connect to the VPN and then to Tor,then was viceverse …i dont know to who i should believe …
    or change to another VPN provider …
    Did try to contact to the Tor project but cannot see any e-mail address for contact them.

    Thanks and have a nice day !!!

    1. Hi Andreas,

      It does sound like NordVPN’s support staff is rather confused. Please not that I do not currently have a NordVPN subscription with which to test the setup. It is not very well explained, but in the comments of its Tor over VPN webpage, however, Admin explains that,

      “Please download this config file if you are using Mac, Linux or Windows old software: If you are using our latest Windows software please accept the update and then you will see the “Tor over VPN” in the server list.”

      It therefore seems that you need to use generic the OpenVPN client, rather than NordVPN’sd custom software. I see no reason why you cannot also use the Tor Browser. This will mean, however, that you traffic passes through the Tor network twice, so will have big impact on your speed.

      As I discuss in the article above, it is worth noting that connecting to the VPN then using the Tor Browser is more secure than using NordVPNs Tor over VPN setup.

      If you still want help from Tor, this page outlines Tor support options.

  4. I was curious about the exit nodes. I use PIA for my VPN. Using VPN –>Tor , and my VPN settings include Data Encryption -AES-256, Data Authentication-SHA-256, Handshake RSA-4096 do I still have to worry ” as much ” about “unencrypted” exit nodes? I still realize if the NSA wanted to know they would, but in general?

    1. Hi Jericho,

      Your traffic will only be encrypted by the VPN while traveling between your computer and the VPN server. When leaving the VPN server to enter the Tor network it will be decrypted by the VPN server before being encrypted by Tor. Using VPN –>Tor does not provide any additional protection when using Tor except hiding from your ISP that you are using Tor, hiding your true IP address from the entry node, and providing an extra barrier for an attacker to overcome when tracking you.

  5. Hi Douglas,

    I’m using Tor through VPN for a while, and I need some help. I want to prevent traffic analysis, but I’m not sure how to do it properly. I need a simple but proper way. In my example I visit a website (can’t visit it from a public wi-fi, only from home through my ISP), I click on some links or images, etc… Let’s assume that someone is watching that server, and they can check the exact times of the clicks from the server logs or from the database entries. And later they can compare it with the logs from my ISP. So they won’t see the exact traffic, only encrypted stuff, but the will see that I had outgoing traffic or request exactly when something happened on the website. So sooner or later they’re gonna have enough traffic analyzed to be sure that I was doing those clicks. My question is: is there any way to generate some non-Tor traffic through the VPN which can help to obfuscate things and can prevent from end-to-end timing analysis while I’m using that website? For example some online games which sends end receives traffic constantly? Or anything better? What would you recommend? Thanks for your help!

    1. Hi Mandre,

      As I am sure you are aware, you are describing a classic end-to-end timing attack. I really hope that you are not doing anything very illegal. In theory, anyone watching a website will be unable to trace you back to your ISP, because not only is your connection protected by a VPN, but it is randomly routed through at least 3 Tor nodes. Even if you were traced back to the VPN provider (unlikely by anyone except perhaps a global adversary), almost all VPNs use shared IPs. This makes traffic analysis very hard (but not completely impossible).

      The simplest way to generate both Tor and non-Tor traffic when using your VPN is to connect to the VPN service, and then run the Tor browser inside a Virtual Machine. If you also visit websites using your regular browser (outside the VM), then you will generate non-Tor VPN traffic in addition to the Tor traffic generated when using the Tor browser in side the VM.

  6. for connection VPN through TOR. could you comment whether Express VPN will works with this set up…?

    I know express VPN connection is fast when it run as stand alone. but when express VPN connection through TOR …. would it stay fast that way or at least better than AirVPN or BolehVPN…?

    1. Hi zery,

      ExpressVPN does not support VPN though Tor – only AirVPN and BolehVPN do (that I know of). You can use Tor through VPN with any VPN provider (including ExpressVPN) by connecting to the VPN, then using the Tor browser. Whichever setup you use, the (slow) speed of the Tor network will be a much bigger factor than that of your VPN provider.

    1. Hi sabé,

      Any VPN can be used for Tor through VPN simply by starting the VPN then using the Tor Browser. As discussed in the article, this is more secure than using a VPN that offers VPN through Tor via an OpenVPN configuration file. So if you want to try both configurations, you are pretty much limited to AirVPN and BolehVPN. Please see here, for example, for AirVPN’s take on both configurations.

  7. The introduction notes that Tor is not suitable for P2P. Is there any combination of Tor, VPN and other browser which is suitable for P2P but still enables anonymous surfing and downloading?

    1. Hi Alex,

      Tor is never suitable for P2P because not only is it very slow, but:

      – Using P2P slows down the network for all other Tor users (many of whom rely on Tor for reasons related to human rights, and whose internet connection is very basic in the first place!)
      – Volunteers who run Tor exit nodes can be held accountable for copyright abuses traced to their IP addresses.

      It is therefore considered extremely bad form to torrent using Tor (a point that probably also applies to attempts to stream content). Simply using a P2P-friendly VPN service normally provides more than sufficient privacy while downloading and surfing the web, and is what I recommend. If you really need true anonymity while downloading, the I2P anonymity network is what you are looking for.

  8. Is this Swedish VPN service use of VPN trough TOR via the use of an OpenVPN configuration file as it seems to me or is it as AirVPN and BolehVPN type of implementation?

  9. Thank you for the article.

    Are there other sequences of connections which could help with privacy or anonymity? For instance, is it advantageous and possible to connect through VPN > TOR > VPN ? If so there seems to be a myriad of potential sequences at a user’s disposal.

    Is there an estimate of the number of TOR nodes? Correct me if I’m wrong, but a malicious organization which wanted to monitor traffic would need to create/control a certain number of nodes to increase their probability of being the exit node. It’s just a matter of statistics right?

    1. Hi Learning,

      1). Yes, other configurations are possible, although these come with ever increasing trade-offs with usability. It is very easy, for example, to connect Tor -> VPN, then use the Tor browser to acees the internet (Tor -> VPN -> Tor).
      2. Well – simply controlling an exit node is of limited as data is encrypted between each node, and as all data passes between at least 3 random nodes so decrypting and tracing the data is all but impossible. However, it is theoretically possible that a powerful enough entity (such as the NSA) could control enough Tor nodes to perform a successful end-to-end timing attack. This would be a monumental and highly specific undertaking, though.

  10. VPN > Tor is the most secure and standard practice of this. The tried and tested method of everyone on the tor network. If you want to get around TOR exit node blocks or temporarily hide the fact your using TOR from websites is to go VPN>TOR>Proxy and a lot of people do that as well and it’s easy to mod in the config file. Best method just pick a nice proxy that switches around IPs a lot or passes you out of different points in a chain and used by lots of different people to help obscure you even more. Just use it only when needed. VPN>TOR most of the time FTW.

    Also the harvard idiot got caught because he had to log into account under his name on their wifi and the US is overbearing and follows no laws like a idiot.

  11. Contradictory statements:

    “So which is better?

    VPN through Tor is usually considered more secure because (if the correct precautions are taken) it allows true anonymity – not even your VPN provider knows who you are. It also provides protection against malicious Tor exit nodes, and allows you to evade censorship via blocks on Tor exit nodes.”


    “VPN through Tor provides no protection against malicious exit nodes and is still subject to censorship measures that target Tor users, but does mean that your VPN provider cannot see your internet traffic content…”

    Contradict each other.

    1. Hi Sajah,

      Good catch – thanks! I obviously suffered a moment of confusion. As the context should clearly show, I meant to write “Tor through VPN in the second instance. I have now corrected this.

  12. How exactly do you set up the VPN through Tor method? Would you mind linking to a tutorial or a place to start? I don’t want to go about this the wrong way. Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *