Using VPN and Tor together

Douglas Crawford

Douglas Crawford

Februar 26, 2016

Although in many ways very different, both VPN and the Tor anonymity network use encrypted proxy connections in order to hide users’ identities (VPN is useful for much more than this, but privacy is a core feature of the technology).

We also have an expanded version of this article which examines some VPN providers that offer Tor functionality as part of their service.

  • VPN is faster than Tor, and is suitable for P2P downloading. The major downside (and reason VPN is said to provide privacy rather than anonymity) is that it requires you trust your VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.
  • Tor is much slower, is often blocked by websites, and is not suitable for P2P, but it does not require that you trust anybody, and is therefore much more truly anonymous.

The cool thing is that VPN and Tor can be used together in order provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside of doing so combines the speed hit of both technologies, making connecting in this way secure… but slow.

It is also important to understand the difference between connecting to Tor through VPN and connecting to VPN through Tor…

Tor through VPN

In this configuration you connect first to your VPN server, and then to the Tor network before accessing the internet:

Your computer -> VPN -> Tor -> internet

Although some of the providers listed above offer to make such a setup easy, this is also  what happens when you use the Tor Browser or Whonix (for maximum security) while connected to a VPN server, and means that your apparent IP on the internet is that of the Tor exit node.


  • Your ISP will not know that you are using Tor (although it can know that you are using a VPN)
  • The Tor entry node will not see your true IP address, but the IP address of the VPN server. If you use a good no-logs provider this can provide a meaningful additional layer of security
  • Allows access to Tor hidden services (.onion websites).


  • Your VPN provider knows your real IP address
  • No protection from malicious Tor exit nodes. Non-HTTPS traffic entering and leaving Tor exit nodes is unencrypted and could be monitored
  • Tor exit nodes are often blocked
  • We should note that using a Tor bridge such as Obfsproxy can also be effective at hiding Tor use from your ISP (although a determined ISP could in theory use deep packet inspection to detect Tor traffic).

Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer Tor through VPN via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from Tor through VPN.

Please be aware, however, that this is nowhere near as secure as using the Tor browser, where Tor encryption is performed end-to-end from your desktop to the Tor servers.  It is possible that with transparent proxies your VPN provider could intercept traffic before it is encrypted by the Tor servers. The Tor Browser has also been hardened against various threats in a way that your usual browser almost certainly has not been.

VPN and Tor

For maximum security when using Tor through VPN you should always use the Tor browser

VPN through Tor

This involves connecting first to Tor, and then through a VPN server to the internet:

Your computer -> encrypt with VPN -> Tor -> VPN -> internet

This setup requires you to configure your VPN client to work with Tor, and the only VPN providers we know of to support this are AirVPN and BolehVPN. Your apparent IP on the internet is that of the VPN server.


  • Because you connect to the VPN server through Tor, the VPN provider cannot ‘see’ your real IP address – only that of the Tor exit node. When combined with an anonymous payment method (such as properly mixed Bitcoins) made anonymously over Tor, this means the VPN provider has no way of identifying you, even if it did keep logs
  • Protection from malicious Tor exit nodes, as data is encrypted by the VPN client before entering (and exiting) the Tor network (although the data is encrypted, your ISP will be able to see that it is heading towards a Tor node)
  • Bypasses any blocks on Tor exit nodes
  • Allows you to choose server location (great for geo-spoofing)
  • All internet traffic is routed through Tor (even by programs that do not usually support it).


  • Your VPN provider can see your internet traffic (but has no way to connect it to you)
  • Slightly more vulnerable to global end-to-end timing attack as a fixed point in the chain exists (the VPN provider).

This configuration is usually regarded as more secure since it allows you to maintain complete (and true) anonymity.

Remember that to maintain anonymity it is vital to always connect to the VPN through Tor (if using AirVPN or BolehVPN this is performed automatically once the client has been correctly configured). The same holds true when making payments or logging into a web-based user account.

Malicious exit nodes

When using Tor, the last exit node in the chain between your computer and open internet is called an exit node. Traffic to or from the open internet (Bob in the diagram below) exits and enters this node unencrypted. Unless some additional form of encryption is used (such as HTTPS), this means that anyone running the exit node can spy on users’ internet traffic.

Tor-onion-network exit node

This is not usually a huge problem, as a user’s identity is hidden by the 2 or more additional nodes that traffic passes through on its way to and from the exit node. If the unencrypted traffic contains personally identifiable information, however, this can be seen by the entity running the exit node.

Such nodes are referred to as malicious exit nodes, and have also been known to redirect users to fake websites.

SSL connections are encrypted, so if you connect to an SSL secured website (https://) your data will be secure, even it passes through a malicious exit node.

bestvpn https

End-to-end timing attacks

This is a technique used to de-anonymize VPN and Tor users by correlating the time they were connected, to the timing of otherwise anonymous behavior on the internet.

An incident where a Harvard bomb-threat idiot got caught while using Tor is a great example of this form of de-anonymization attack in action, but it is worth noting that the culprit was only caught because he connected to Tor through the Harvard campus WiFi network.

On a global scale, pulling off a successful e2e attack against a Tor user would be a monumental undertaking, but possibly not impossible for the likes of the NSA, who are suspected of running a high percentage of all the world public Tor exit nodes.

If such an attack (or other de-anonymization tactic) is made against you while using Tor, then using VPN as well will provide an additional layer of security.

So which is better?

VPN through Tor is usually considered more secure because (if the correct precautions are taken) it allows true anonymity – not even your VPN provider knows who you are. It also provides protection against malicious Tor exit nodes, and allows you to evade censorship via blocks on Tor exit nodes.

You should be aware, however, that if an adversary can compromise your VPN provider, then it controls one end of the Tor chain. Over time, this may allow the adversary to pull off an end-to-end timing or other de-anonymization attack. Any such attack would be very hard to perform, and if the provider keeps logs it cannot be performed retrospectively, but this is a point the Edward Snowden’s of the world should consider.

Tor through VPN means that your VPN provider knows who you are, although as with VPN through Tor, using a trustworthy provider who keeps no logs will provide a great deal of retrospective protection.

Tor through VPN provides no protection against malicious exit nodes and is still subject to censorship measures that target Tor users, but does mean that your VPN provider cannot see your internet traffic content…

VPN and Tor Conclusion

Whichever configuration you choose, combining VPN and Tor will improve your privacy and security, and goes some way towards addressing weakness in using either technology as a stand-alone solution.

I do, however, encourage any user who requires a very high level of security to carefully weigh up the pros and cons of each setup in relation to their particular needs. Under most circumstances, for example, using VPN through Tor provides almost perfect anonymity, but the fact that the VPN acts as a fixed end-point for Tor does mean that under some circumstances such a setup could potentially become a liability.

It is also worth remembering that any VPN user can run Tor through VPN simply by running the Tor Browser after their VPN connection has been established (and this is more secure than using the transparent proxy method offered by NordVPN, Privatoria and TorVPN).

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

124 Antworten auf “Using VPN and Tor together

  1. Hi Douglas,

    Thanks again for all these excellent readings !

    If I got a VPN configured on router level (DDWRT) and I use a Tail OS on system connected to that router.
    Am I doing TOR trough VPN, or VPN through TOR ?

    and other way around, If I configure TOR on an intermediate raspberry, should I drop the VPN on router and use computer client ?

    What about Tails > TOR raspberry > VPN router ?

    Many thanks !

    1. Hi Prismatic,

      – This is a Tor though VPN setup. All data leaving your router is first routed to the VPN server, and then will ultimately exit to the internet via a Tor exit node (or in reverse for incoming traffic).

      – VPN computer client>Tor Raspberry>router = VPN though Tor (exit point will be the VPN server)
      – computer>Tor Raspberry> VPN router = Tor through VPN
      – Tails > TOR Raspberry > VPN router = In theory this is ending your data through the Tor network twice before exiting at the VPN server. But I have no idea if this would even work! 🙂

    2. Hi Douglas, Thank you !

      Well, that makes all technological studies just more complicated…

      Most wide-spread anon setups, rely on TOR. Be it from Tails, Whonix or Browser-based.
      Adding a VPN security to that, could only be done after the client computer, on router level only (maybe Qubes ?), so being in TOR trough VPN setup.

      Meaning that actual global deepweb anonimity (instead of TOR by itself) only really rely on VPN providers trust level ?

      You state that VPN trough TOR is much secure. But that defeats the principle of secure OS like stated above as we need to use client applications on PC for VPN ?

      1. Hi Prismatic,

        Er… you can add VPN security before Tor simply by connecting to a VPN service on your computer, then using the Tor Browser. In this configuration the VPN provider cannot know what you get up to online as your data is encrypted by Tor. But it will know your real IP address. With VPN through Tor your VPN provider can see what you get up to online, but doesn’t know who you are (doesn’t know your real IP address).

        – Tor hidden service can only be accessed in Tor through VPN configuration (or just Tor on its own). There is a strong argument for just using Tor on its own for this, as it removes the need to trust a VPN provider. It is up to you to decide if the extra layer adds privacy or is a risk to it.

        – Well – VPN trough TOR allows for complete anonymity and removes the danger of using a malicious Tor exit node. Doing this on TAILS is hard, but it would work well under a secure OS like Qubes.

  2. Hi Douglas,
    Tks. for that – my thoughts nearly check out against your words.
    I am only a few years “away” from 80 years old so not as quick as I used to be and tks. also for comments about Tor add-ons.

  3. Hi Douglas,
    Can you please explain to this bearded newbie how to use your own VPN software and Tor and thus you do know no one can access any logs etc. i.e. a VPN through Tor setup (if this is possible).
    At present I use Tor with Hoxx Proxy and HTTPs Everywhere as well as DuckDuckgo however I am not sure about setting up my own VPN and Tor because I can’t see my way clear about my ISP tracking/logging me and others identifying me by way of the IP that “goes out” if I use my own in-house VPN software and Tor.
    Many thanks.

    1. Hi Aileans (:) ),

      1. Running your own VPN server does mean that you control your own logs, but (as you say) it also means your VPN’s IP address is tied directly to yourself. With a commercial service you benefit from sharing an IP address with many other users.
      2. For privacy it is usually recommended not to run add-ons with Tor Browser. This is because one of the biggest benefits of using Tor Browser is that you look like every other Tor Browser user, which is a great defense against browser fingerprinting.
      3. You can run a Tor through VPN setup simply by connecting to your VPN and then using the Tor Browser. In this case your outward facing IP will be that of a Tor exit node. The benefits of this setup over just using Tor on own are very limited, however, becasue of point 1.
      4. The benefit of a VPN though Tor setup, on the other hand, is that this hides your real IP from the VPN server. But if you are running your own VPN server then there is no point in doing this.

  4. Not sure if my question is relevant here. Considering the below scenario, let’s assume, my real ip (provided by isp) is and my vpn ip is I have a service opened on port 1212. Which IP the incoming connections will try for? If they try for then where is the anonymity?

    1. Hi sam,

      I think you might be confusing ports and IP addresses. If using a VPN, then incoming connections will use the port used by the VPN protocol. For example, by default OpenVPN uses UDP port 1194. It is possible to manually specify a different port, but most VPN providers only support UDP port 1194 and TCP port 443 for OpenVPN. In your example, incoming connections will use the IP address If you need incoming connections to use port 1212, then you will need a VPN service that supports port forwarding. In this case your outwards-facing IP is still Note that a VPN provides privacy, not anonymity, as the VPN provider always knows your real IP address (the exception to this rule is VPN through Tor – as discussed in the article above).

  5. Hello,
    question related w yr idea “Tor -> VPN -> Tor”..
    How u want do it?? is not clear to me.. Beucase: When u first start TOR connection (which is most easy started with lauch of TOR browser), then start VPN (for example connect Boleh VPN server through openVPN configured w connection over TOR proxy ( and port 9050)), then when u will use other / normal web browser such as Chrome, Firefox etc, yr connection will be: You => Tor => VPN server => internet.. But when u will use TOR, then your TOR browser will be direct connected to the TOR network (using opened TOR connection initialized on start, before VPN launched), and no going as u mean YOur TOR browser => TOR => VPN => TOR => internet… How u can force TOR browser to go next through VPN and again TOR when already enter in TOR first time? I think is not simple possible because when u as first thing open / launch TOR connection, this connection channel is separated from VPN tunnel (VPN tunnel then use TOR connection ) and u cannot force TOR browser to go after entering directly to TOR connection go again then to VPN and then again to TOR network second time. Thank for yr explanation and ideas. Regards

    1. simple: I mean TOR browser will always use only first input to TOR network and then u cannot force him to go then over VPN and again back to TOR network… If u are using VPN over TOR , through VPN will go only apps which are not configured to use TOR connection (127 and port 9050) as thunderbird, chrome etc.. But all what is using localhost 127 and port 9050 is no more using VPN and second time TOR when already entered into TOR network. Only option as u can use TOR + VPN together for TOR browser browsing is i think TOR over VPN (first initialize VPN connection and then launch TOR browser, then all internet connection will go first through VPN tunnel and then to TOR network). But when u first initialize TOR connection and then VPN, TOR browser will use first available enter into TOR network and does not need more VPN and second TOR input.

    2. and at use system TOR => VPN then FIRST TOR connection (launched before VPN) is master connection for VPN connection and independent on VPN tunnel, but VPN tunnel is full depend on TOR connection (when is TOR connection interupted, of course VPN too cannot work more without reconncetions)

    3. thanks for soon reply and answer, now i find it & read it. Only little bit is confusing that u have not corrected this mistake in Article, and discuss now have more than 100 comments (i mean no very much people will read whole discussion till end, is not very probably). Thanks

      1. Hi mark,

        Ah. That is because I thought I only mentioned it in the comments section. Oops! I have now removed that section from the main article. Thanks for pointing this out.

  6. Hi Doug,

    I have a question regarding using Tails if one wanted to access the dark web.

    I am reading a lot of conflicting reports about using a VPN with Tails. Some comments I read are users just using Tails and the Tor browser, but wouldn’t your ISP still see that you are accessing the Tor network? Would you recommend Tails and a Tor browser over any other OS and possible include a VPN with that? Or would any OS (more than likely Linux) > VPN > Tor browser suffice?

    1. Hi Jen,

      I don’t think using TAILS and the Tor browser will achieve much, as all TAILS connections are automatically routed through Tor anyway. In either case, ye – your ISP can see that you are using Tor. For maximum security I personally would use Linux (I use Debian) -> Tor -> VPN (i.e. VPN though Tor) for open web browsing, and Linux -> VPN -> Tor (i.e. Tor through VPN). You could replace the Tor browser with TAILS running inside a Virtual Machine (VM) for even more security, but that is probably overkill.

  7. Thanks Douglas!

    If u use Tor through VPN = Connect to a VPN then opening Tor..
    does this mean I can just use HTTPS connections if I want the end node to be encrypted and secure? Or is it just better to use Tor itself or VPN itself.. which is better?

    1. Hi Mobscript,

      Yes, you can secure the end connections by connecting to HTTPS websites and resources. I’m afraid which is best setup depends entirely on your threat model and general level of paranoia, although Tor is always going to be more anonymous that a VPN on its own.

  8. I have no idea if this question has been stated yet because I’m tired of reading lol.

    I am wondering if it’s better to just use Tor Browser alone.. instead of adding VPN to it.
    I am a person who prefer video instead of text because it’s easier for me to understand but as I see it; Using VPN through Tor means you need to download AirVPN which costs real life money. So NO.
    Using Tor through VPN is kinda bad which opens Tor end chain right? But you can add HTTPS Everywhere to keep it tighter? But this allows your ISP to still find out what ur searching for and using Tor itself.

    I’m talking about most things people wanna keep a secret which includes: p0rn and secret websites.

    So the best option would be to just use Tor itself without VPN? I probably screwed up my writing/explaining cuz it’s late and I’ve got a headache xd.

    1. Hi MobScript,

      I would say that it all depends on why you want to anonymous, and who you are afraid of. I certainly think that using Tor and a VPN together is an overkill solution for the vast majority of users! It is worth remembering that HTTP Everywhere only works if an HTTPS connection is avaible. If not then it will default to as regular HTTP connection. It is also worth noting that Tor is very slow, which not ideal if you want to watch p0rn videos!

  9. Hi Douglas,
    Sorry I’m not a native English-speaker, so it’s difficult for me to catch all you mean.
    Would you please tell me the way that ISP won’t find me using VPN and Tor? I mean both couldn’t be found by ISP.
    Thank you.

    1. Hi Dede,

      Using either a VPN or Tor will hide what you get up to on the internet from your ISP. For most purposes, using both of them together (whichever way you do it) is overkill. If you want to hide the fact that you are using a VPN at all from your ISP then please see my guide on How to Bypass VPN Blocks (I would suggest using AirVPN with SSL tunneling). If you want to hide the fact that you are using Tor from your ISP then obfsproxy (also discussed in that article) can help.

      If using Tor though VPN then you need to hide your VPN connection. I may be wrong, but I don’t think it is possible to completely hide your Tor connection from your ISP in VPN through Tor configuration.

  10. Douglas, as always I enjoy your reads and find them to be more clarifying than your average blog or forum.

    Although I understood most of the above text, and attempted to sift through the majority of comments before writing one myself; I am still left quite perplexed. (Please correct if any of my ‘existing’ knowledge is wrong)

    1) When referring to Tor, is that the same as the Tor browser itself or something different?
    2) When you say VPN through Tor, you mean opening the Tor browser and then connecting to your VPN? This is supposedly more secure/anonymous than running the VPN and then opening Tor. (And this way you are hidden from your ISP, what can your VPN see?)

    More significantly, what would you recommend to someone wishing to browse the dark web (for e.g.) and its respective sites whilst remaining as anonymous as possible?

    I have a mac (post mid-2014). Would running tails through the mac and then running VPN through Tor (using a VPN bought with mixed bitcoins) be the best option? What VPN would you use for such setup? Or do you recommend an alternative setup?

    I am aware of the benefits of DD-WRT firmware but that is slightly out of my price range. Would what I mentioned above be the next step down?

    I hope not to be a pain with the barrage of questions and lengthy comment.
    Thanks, Rejjie

    1. Hi Rejjie ,


      – 1) When I say Tor in general, I mean the Tor network – the series of volunteer-run nodes that your data passes through before reaching the internet. By far the best way to access the Tor network is using the Tor browser.

      – 2) No. Using VPN through Tor (so your IP is hidden from your VPN provider by the Tor network) requires special software. The only VPN providers to offer this software are AirVPN and BolehVPN (and I am not sure how well Boleh’s actually works). In this setup your ISP will see that you are connected to the Tor network, but nothing else. Your VPN provider can see which websites you visit (as usual), but cannot see your real IP as this is hidden by the Tor network. When combined with an anonymous payment method, this allows for true anonymity.

      – To browse the dark web you will need a Tor node at the end of the chain. This means using either vanilla Tor or Tor through VPN (which provides an extra layer of protection). For Tor through VPN the best setup is to use the Tor browser in combination with a good no logs VPN service.

      – The thing about TAILS is that it routes all connections through Tor by default. This will probably prevent you from routing through a VPN first. Also note that unless using the VPN through Tor method, your VPN provider will know your real IP address, which limits the usefulness of paying anonymously.

      – You can run a VPN in DD-WRT, but you won’t benefit from things such as DNS leak protection or a kill switch (although these can be setup using iptables). As I say, I don’t think the above setup has wings.

    2. Dear Douglas,

      I found this response quite useful and surprisingly relevant to what I wanted to ask you.
      Thus I ask,

      If the intention is to browse the dark web with the upmost anonymity (within reason) possible; you recommend using Tor through VPN instead of VPN through Tor using AirVPN for example? How would you do this exactly? Would you still recommend AirVPN, I assume it is no logs and has a functional kill switch?

      Also what is vanilla Tor? I tried to search online but to no avail (came up with a load of world of warcraft stuff hahah).

      Although TAILS is heavily recommended on the web, you seem to poke holes in it. Does it not allow for true anonymity? Would you recommend me to use this in a certain way or to disregard it and do something else, what would this be?

      I have a completely wiped and ‘fresh’ Sony Vaio with windows 10. I have turned off all the privacy intrusive settings and such. Essentially what i am trying to ask here is, what would you use/do in order to browse the dark web safely and most importantly, as anonymous as reasonably possible? I am a stickler for privacy…

      As always, I enjoy your reads, please keep them coming!
      Regards, Damien

      1. Hi Damien,

        – VPN through Tor cannot be used used to access the dark web because to access the dark web the end point must be a Tor node. With VPN through Tor the end point is a VPN server. So you need to use Tor through VPN (or just Tor on its own). The most secure way to do Tor through VPN is to a) connect to a no-logs VPN sever, then b) access the dark web (Tor hidden services) using the Tor Browser.

        – I use AirVPN as my personal VPN provider. It does indeed keep no logs and have a kill switch (“network lock”). Please see my full AirVPN Review for more details.

        – By “vanilla Tor” I mean plain basic Tor on its own i.e Tor without a VPN (sorry – “vanilla in this context is a common British idiom). The most secure way to use Tor is with the Tor Browser.

        – I am not poking holes in TAILS – it is very secure. I am just saying that it routes all internet connections via the Tor network. This makes it unsuitable for a Tor through VPN setup. Please remember that Tor on its own (“vanilla”:) ) provides a very high level of anonymity anyway, so this is hardly a “hole”.

        – For a start, “Windows” and “privacy” should never be uttered in the same sentence. Even with all “the privacy intrusive settings” turned off, Windows sends a huge amount of telemetry data back to Microsoft. It is also widely believed to have been backdoored by the NSA. Use Linux instead.

        – I would say its a coin-toss between using TAILS or Tor through VPN (with a good good no-logs VPN provider and on a Linux system). Another good option is to use Whonix (again on a Linux system).

  11. Dear Douglas,

    My questions are regarding VPN -> TOR Browser -> Internet

    Early in the article you state “Tor through VPN …mean[s] that your VPN provider cannot see your internet traffic content…”

    Later, in a comment answer (to Jerry S) you state “Your VPN provider will know your real IP address and that you are connected to Tor. It could also intercept your internet traffic, should it wish to.”

    Which is it?

    i.e. can a VPN provider see your traffic content if connected: VPN -> TOR Browser -> Internet

    Or by intercept, do you mean intercept *encrypted* traffic only, which it cannot decrypt?

    What if you are connecting to a HTTPS site?


    1. Hi George,

      – It is my answer to Jerry S. that is in error. My apologies, and thank your for pointing this out. This would be true if using Tor through VPN via a transparent routing setup, but not if using the Tor Browser. If using the Tor Browser then your traffic is encrypted by Tor all the way between the your desktop and the Tor exit node. This means your VPN provider cannot see it. I have now edited my answer to Jerry S. to correct my mistake.

      – When connected to an HTTPS website the entire connection is secured between your browser and the website. This means neither your VPN nor the Tor exit node (or your ISP) can what you get up to on that website. So in a Tor through VPN setup, the exit node will know that you have visited that website, but not which pages you visit or anything else about what you do on that website.

    2. Hi,

      I have read through this expansive article and just thankful for your work. My main question would be if I connect via VPN (Nord seems to be up in the air a lot) then start my “Tor” browser. Will this grant me the maximum amount of security as stated? Or Do I start my “Tor” browser with no VPN on, and then connect to an online VPN source to have it tunneled? If both method are incorrect please point me in the right direction as I have seen Nord but would not know how to access it via online through “Tor”.

      Thank you for any advice that you can provide

      “Teach a man to fish and he will feed the village”

      1. Hi Phisher,

        To again the maximum benefits of Tor over VPN, first connect to a VPN server, then start the Tor Browser. This ensures that all connections are routed via the VPN server. before going anywhere else.

    1. Hi Micheal,

      Great question! So what we are talking about here are Virtual Machines (VM). Both Qubes and Whonix are more secure than Layer 2 VMs such as VirtualBox, VMware or Parallels, but the principle is the same.

      When using a VM, you can run a VPN on the host machine and the Tor bowser inside the VM. This will create a Tor through VPN setup as described above. Because the Tor session is running inside a VM, this is a very secure way to do this.

      More elaborate setups such as connecting Tor through VPN using an OpenVPN config file to transparently route your data from OpenVPN to the Tor network in the host machine, and then also running a VPN and/or Tor browser inside the VM might work, but am unable to advise you on the implications of doing so.

  12. I have to say, great article!

    I’ve been reading tons of articles with the various options / clients / pros / cons.

    I would like to pose to you a simple question (sorry if you’ve answered it somewhere else, I’ve gone through most of the comments):

    If *you* wanted to secure your traffic and remain as anonymous as possible, which client / configurations would you use?

    Assume price / speeds aren’t an issue and that anonymity is the highest concern.


    1. Hi Robert,

      Thanks! For ordinary internet use I would use AirVPN in VPN through Tor configuration (paid for using mixed Bitcoins). This provides a very high level of true anonymity, while providing most of the advantages of using a VPN and also mitigating most of the disadvantages of using Tor (except speed).

      If I was Edward Snowden, I would use a no-logs VPN based in somewhere very far from 14-Eyes influence (perhaps NordVPN in Panama?) in Tor through VPN config (using the Tor browser, not NordVPN’s proxy solution). This provides all the advantages of using Tor, while also providing an additional level of protection i.e. the VPN). Most importantly, this would allow me to connect to Tor hidden services websites (dark web), which I would try to use as much as possible.

  13. I think (at least for me) VPN over TOR is a non-starter for then followin reasons:
    1) Too few providors to choose from (only 2)
    2) Tried with Boleh; they told me it had issues and was waiting for a new build of their OpenVPN s/w
    3) AirVPNs works, but there is no implementation for VPN over TOR for a router, and their KillSwitch is NOT working (as stated in their documentation) for their client based implementation. (Anybody who cares enough about security to even consider this would never operate without a killswitch).

    For the above reasons, my only option would be TOR over VPN. I have tried it with my VPN Providor on standard OS as well as within TAILS (running on a vrtual machine). Two questions have come up with this that perhaps you can help with:

    a) When running TOR over VPN on a standard OS, if I run a “whatismyip” check, I always get (as expected) the TOR exit node. However, doing the same in TAILS gives me a response to “whatismyip” response that is DIFFERENT than the TOR exit dode (as reported by the TOR Circuit Button). The IP appears to be a TOR Node, but NOT any of the nodes in my TOR Circuit. Is TAILS doing something differnt /extra to cause this? Any ideas?
    b) Similar to the situation that you found yourself in when you were testing TOR over VPN over TOR (when at first you thought you were still going through the VPN), it made me wonder whether TAILS was somehow bypassing the VPN. I’m sure the answer is documented, but I have a more general question. When running TOR over VPN in various implementations, how can I test FOR SURE that the traffic actually went through the VPN before it went to TOR and dis not bypass the VPN? Since the Exit Node will show as your apparent IP, what process/test can I run to assure myself that it is, in fact, travering the VPN first? Kind Regards! 🙂

    1. Hi Jon,

      3) Hmm. I wasn’t aware of this. Thanks for letting me know.

      a) To understand what is going on here, I think you need to explain how you have setup Tails to run Tor over VPN. By default, Tails routes all internet connections through Tor. If you have not disabled this, then my guess is that you are running both the VPN and the Tor browser inside Tails’ default Tor connection. Which means that the IP you are seeing belongs to the Tor relay setup by Tails itslef. Which is, in itself, rather interesting!

      b) This is indeed another possibility, although the fact that you are seeing an exit node belonging to a second Tor relay suggests to me that the above suggested answer may be better. And to be honest, I don’t know how you would test for it. Sorry. The guys at AirVPN seem very knowledgeable about the subject, so it might be worth asking on their forums. You could also ask on the official Tor forums and on if you do find an answer, I would love to hear it!

  14. Douglas:
    I have followed you for a long time, and really appreciate your work. I have never written before, but I believe there is an error in your interpretation of the Airvpn documentation. On the Airvpn page referenced explaining Airvpn over Tor, it says:

    Browsing with the Tor Browser, or running any application configured to use Tor Socks, generates traffic that’s always directed to the Tor network and OUTSIDE the VPN tunnel. Technically because they use a connection that had been established before the VPN connection started.”

    So, it would appear that encrypt with VPN -> Tor -> VPN -> Tor -> internet is NOT possible. It goes on to say:

    “If you use the Tor Browser to reach, the bottom box will always show a red ‘Not connected’, with an IP address of a Tor Exit Node. This is because Tor browser enters directly the Tor network. If you use another browser (not configured to use Tor socks proxy), you will see the correct green box displaying ‘Connected!’.

    Again, this indicates that Tor Browser activity when connected as Airvpn over Tor does NOT go through the VPN tunnel.

    1. Hi Leon,

      Good catch! And thanks for correcting me on this. When running tests for Michele I obviously misunderstood the fact that Tor Browser shows I am connected to the Tor network even when connected to the VPN. As you say, AirVPN’s documentation clearly states that VPN -> Tor -> VPN -> Tor -> internet is not possible. My bad.

      1. OK, thanks. Another question:

        In the VPN through TOR environment, it is mentioned that anonymity is enhanced because your VPN does not know your IP. But, upon connecting to the VPN in the beginning, don’t they already have your IP?

        1. Hi Leon,

          No, becasue you don’t connect to the VPN at the beginning. The VPN client will wrap your data in OpenVPN encryption (thus protecting it from malicious Tor nodes), but it is then sent via the Tor network. It is only after your data leaves the Tor network that a connection to the VPN server is established. So the VPN server only sees the IP address of the last Tor node. Or to quote AirVPN,

          “Additional privacy layer: our VPN server will not see your real IP address but the IP of the Tor exit node (you can check your Tor exit IP in the Client Area).”

          1. I see. But one of the major stated advantages of VPN through TOR is that your VPN cannot see your originating IP (and you are protected in case they do, in fact, keep logs). However, here is my issue/question:

            In order to do this (VPN through TOR), you start the TOR Bundle, then log into your VPN. At that moment (when you start your VPN), your VPN (inevitably) sees the IP you have connected to. So, at that point, they have your IP and your account information (even if your account was established anonymously). Now, I understand that my data is encrypted by the VPN Client, and then by TOR before it reaches the VPN. However, the VPN Client MUST wrap account information somewhere with that data, or there would be no way for the VPN to authenticate the user when it receives data from the exit node. So, if my assumption is correct, the VPN knows (when it receives that data from the exit node) which account sent that data. And, although it can’t see the true originating IP in the data, it already knows from where the original connection to the VPN was made earlier and could correlate it with the account. So, it seems that a VPN provider would still know everything? What am I missing?

          2. Hi Leon,

            The fact that your VPN cannot see your IP is one of the major advantages of VPN through Tor… (I’m going to use AirvPN as the baseline for the following discussion, becasue that is the service I am most familiar with).

            – When Eddie is setup for this configuration, you do not login to your VPN until after your data has been routed through the Tor network. Your network traffic is encrypted using VPN, but you only connect to the VPN server via the Tor network.

            – Well, yes – your account username and password are transmitted from Eddie through the Tor network to the VPN server. You must still have an a valid account with AirVPN in order to use the service. But if you signed up to the service using Tor (or another VPN, or from an internet cafe, etc.) to hide your real IP, and were careful thereafter to connect only though Tor, AirVPN would never have a record of your real IP (and it claims to keep no logs anyway).

          3. (There was no “reply” button under your last post. Please put this in the proper position if possible).

            Thank you again. Your insights (as usual) are invaluable. Please bear with me, as I am sure this information will help many. (In case you didn’t notice, this article is the first hit on Google for the search “VPN over TOR” and the third hit for the search TOR over VPN. So this information and discussion will aid numerous future searchers).

            If we assume (as you suggest) that we have registered for our VPN anonymously (internet café, bitcoin, gift card, etc.), then the only (reasonable) way you could be identified is by correlating your anonymous account with an identifiable IP address (say your home).

            We MUST assume that any VPN either misstates their policy, has leaks, or can be compromised. If we trusted “no logs” than there is not much need for any of these extra steps. Also, if we did all our communication through truly anonymous access points, likewise, hiding our originating IP from our VPN would be unnecessary.

            So, my assumption is that we need to assume that logs can be can somehow be obtained, and that I desire my IP to be hidden from my VPN in case the IP I’m using is not private.

            Let’s continue the example of AirVPN as you suggest:

            I “think” when you say, “you do not login to your VPN until after your data has been routed through the Tor network”, you are speaking to the data that I send out. The “data” goes through TOR before it reaches the VPN. But, in order to do all this, I need to start Eddie and make a connection to AirVPN (before I send any of my own data out). At that point (when I first start Eddie), I believe they MUST know my “real” IP.

            Now, granted, any data sent after that goes through TOR first before connecting with AirVPN. And AirVPN will NOT see the IP that it came from. However, (again assuming AirVPN is compromised), they DO know my “real” IP from the initial startup/login with Eddie. And they DO know which account sent that data that came from TOR (or they wouldn’t accept it). So, with these two pieces of information, it seems to be they could easily correlate which IP that TOR traffic likely originated from.

            If I am correct and there are no flaws in my logic, the extra layer of protection (AirVPN not being able to see your original IP in the TOR traffic), is of little consequence if AirVPN is compromised (and if they AREN’T compromised, it wouldn’t make any difference if they DID see my origin IP).

          4. Hi Leon,

            – I have passed the issue onto our technical team. I’m told there is a limit to 5 replies per thread, and that there is no quick fix for this. They are looking into solutions, but for now its just a case of starting a new thread…

            – No problem! In fact, these questions also help to improve my understanding of the subject!

            – Every VPN service can monitor what happens on its system in real time. It is how computers and VPN technology works. And I don’t think that any VPN company out there will dispute that it uses this real-time data to analyze usage, troubleshoot problems, and deal with abuse. If a provider does not save or store this information so that it cannot be retrieved at a later point, however, I think it can accurately say that it keeps no logs. But although a no logs VPN will not usually record (log) this real-time data, but it can do so at any time. And if coerced in some way (by legal or other means), it will do so. Using VPN through Tor means that the VPN knows nothing about is customer, even should it start to log.

            – It is my understanding that this is not the case. Eddie does not make a connection to AirVPN / login to the AirvPN server before you send any of your own data out. Eddie will encrypt your data using OpenVPN, but it does not connect to an AirVPN server except through the Tor network. The only IP AirVPN sees is that of the Tor exit node.

            – So no. Eddie does not login to AirVPN before establishing the Tor connection.

    1. Hi Marcheal,

      VPN through Tor is only offered by AirVPN and BolehVPN (or at least BolehVPN used to – I can’t find instructions on how to do this now, so have contacted support). For AirVPN (as per its instructions):

      – Download and launch Tor browser bundle
      – Set Tor as connection mode in AirVPN -> Preferences, press the Test button. If there is some problem, refer to the section Tor Control authentication below.

      Edit: BolehVPN’s instructions:

      Download and launch TOR browser bundle. Open BolehVPN client and go to Proxy Settings and enter in the following parameters:

      Proxy type: Socks
      Port: 9150

      Connect to BolehVPN with one of the TCP connection options. We are currently looking at expanding our server options that support TCP. Please note that TCP is slower than UDP. TOR does NOT support UDP at the moment.

  15. Hello!

    I just don’t understand one thing: in the VPN over Tor setup, the exit node, in order to use the VPN, has to have access to it through the user credentials. So, how is it accomplished?

  16. Hello there!

    First off, thank you, James, for the article. It was very helpful.

    I just didn’t understand some things:

    When you say (in TOR over VPN) :
    “Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer Tor through VPN via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from Tor through VPN.
    Please be aware, however, that this is nowhere near as secure as using the Tor browser, where Tor encryption is performed end-to-end from your desktop to the Tor servers . It is possible that with transparent proxies your VPN provider could intercept traffic before it is encrypted by the Tor servers.”

    You even highlights this at the end of the article:
    “It is also worth remembering that any VPN user can run Tor through VPN simply by running the Tor Browser after their VPN connection has been established (and this is more secure than using the transparent proxy method offered by NordVPN, Privatoria and TorVPN).”

    I don’t understand how could a VPN provider intercept traffic before it is encrypted by the Tor servers. Can you, please, explain it in more detail?

    Also, by reading here , the very first image shows the VPN over TOR works *only* when the app doesn’t use TOR directly (through SOCKS). What if I want to use, for example, the TOR browser bundle with that configuration (altough I can’t access .onion sites).

    About the latter sentence, what if I’d like to access .onion sites with a VPN over TOR connection? Can’t I add another “level” and make it a TOR over VPN over TOR connection? This way I can connect to .onion sites too while maintening the advantages of a VPN not knowing my real IP.

    1. Hi Michele,

      1. I think you mean Douglas :).

      2. With NordVPN, Privatoria and TorVPN (and anyone else using the same technique) you literally connect to their VPN servers before being connected to the Tor network. As is normal with a VPN, the server operator can see non-Tor encrypted traffic as it passes between the VPN server and your PC. In other words, it can intercept your traffic before and after it is encrypted by the Tor servers. This is not a problem if using the Tor Browser to achieve this configuration, as the Tor browser will encrypt/decrypt your data in the browser.

      3. The first image on that page refers to VPN through Tor. You connect first to the Tor network using the Tor Browser, and are then routed (via AirVPN’s client) to the AirVPN network. A SOCKS proxy is not used. I am a little confused by your question here, as the Tor Browser is an essential part of this configuration. You are correct that in this configuration you will not be able to access .onion sites.

      4. In theory this is possible. I am reviewing IVPN today, and so have temporarily uninstalled my AirVPN client. When I have finished the review I will re-install AirVPN, run some tests, and get back to you here.

      1. Reply to 3.:
        What I meant is that the image shows that if the “App use TOR directly” then no VPN is used and all the traffic is just routed through TOR. And TOR browser uses TOR directly, right? It’s configured to use SOCKS to connect to TOR directly (see here: ).

        P.S.: Thank you for the reply, though.
        Waiting for 4. to be replied. 🙂

        1. Hi Michele,

          3. Yes, the Tor browser connects directly to the Tor network via SOCKS5. But if you are running a VPN, then all your internet traffic gets tunnelled through the VPN first. Most good VPNs use firewalls to ensure that it is impossible for traffic to enter or exit your computer outside the VPN tunnel (i.e. via the VPN server). This is why using the Tor browser when a VPN running provides Tor through VPN.

          I think you are reading that first image incorrectly. It is not saying that that if you connect to Tor direct you do not use the VPN. It is showing the difference between just connecting to the internet via Tor, and connecting to the internet in using VPN through Tor configuration. As AirVPN explains,

          This connection mode works ONLY with AirVPN Client, because our software talks to Tor Control to detect and route correctly the guard(s) IP addresses.

          4. I just ran some tests. If you setup VPN through Tor as per AirVPN’s instructions, you can then surf the internet using the Tor browser in order to achieve:

          Your computer -> encrypt with VPN -> Tor -> VPN -> Tor -> internet

          In other words, yes. This adds an extra layer of Tor, and allows you to connect to .onion websites. I will add this information to this article.

          As reader Leon has kindly pointed out to me, AirVPN’s documentation clearly states that Your computer -> encrypt with VPN -> Tor -> VPN -> Tor -> internet configuration is not possible.

          1. Sorry for the late reply.

            3. Thank you. It turns out I was misreading that image.

            4. But if I surf the internet using the Tor browser, wouldn’t it just be: Your computer -> encrypt with VPN -> Tor -> VPN -> Internet?

          2. Hi Michele,

            Nope. If you surf the internet in VPN through Tor configuration using the Tor browser, then you get another layer of Tor at the end. You can easily test this by visiting in the Tor browser – the IP you see will be that of a Tor node, not the VPN provider (and you will be able to connect to .onion sites).

          3. Nevermind. I understood now. So, a big THANK YOU for everything, James! Oops, Douglas! (:

            I have just a very last doubt, altough I may go slightly off-topic here. I’ll try to ask it anyway. I have a doubt over how TOR works. I understood how it works when you send data to a website, but how does it work when you receive it back?

            you <- entry node <- relay node(s) <- exit node <- website

            The website sends the data to the exit node (as it is, encrypted if they are over an encrypted connection, unencrypted otherwise).
            Then the exit node has to send the data to the relay node. Since they didn't exchange keys previously, they can't use an encrypted connection, right? Or do they exchange keys now and then proceed to exchange data?
            The same goes for entry node <- relay node(s).
            Then here: you <- entry node , they have already exchanged keys previously, so the connection is encrypted. Right?

            Can you help me understand just this concept, please?

          4. Hi again Michele,

            Ah. Just been working my way through today’s comments, and have already answered your last question. It might be of use to another reader, anyway.

            When data from the internet reaches the Tor exit node, it is encrypted by the exit node. It is then re-encrypted with a new layer of encryption by each node it passes through. So only the exit node ever sees the unencrypted data before it is decrypted on your desktop by the Tor browser. As each node adds an extra layer of encryption, new keys are generated for each connection.

          5. Well, it’s always the last question! [-.-]”

            It’s just that doubts pop up in my mind. 🙂

            When using the VPN over Tor solution:
            “This connection mode works ONLY with AirVPN Client, because our software talks to Tor Control to detect and route correctly the guard(s) IP addresses.”

            Then I have to set up every app to use Tor (through SOCKS) because the AirVPN Client only detects the guards IP addresses. Right? The connection to IPs that are not guards addresses (for example connecting though a standard browser not set up to use Tor) will get dropped by the firewall set by the app. Is this correct?

          6. Hi Michele,

            In this mode the AirVPN software encrypts all your internet traffic using before sending it through the Tor network. The Tor client needs to be running for this in order for the AirVPN software to connect to the Tor network, but it is not necessary to actually use the Tor browser. So no, you do not need to set up every app to use Tor. As usual, the VPN client will encrypt all your internet traffic, but sends it through the Tor network before being directed into a VPN tunnel.

          7. You wrote: “So only the exit node ever sees the unencrypted data before it is decrypted on your desktop by the Tor browser.”

            But in order to accomplish that, the exit node needs to encrypt the message with various layers so that only the receiver (me) can read it, at the end.

            user <- entry node <- relay node <- exit node encrypted with VPN -> Tor -> VPN -> Tor -> website

            Then, I *do* need to set up Chrome to use Tor SOCKS. Right?

            As usual, thank you for your patience!

          8. Hi Michele,

            No. You do not need to setup your browser for Tor SOCKS. I think we are getting a bit confused about what we are talking about here. When I said “So only the exit node ever sees the unencrypted data before it is decrypted on your desktop by the Tor browser,” I thought you were referring to a normal Tor-only connection. If using VPN though Tor with an extra layer of Tor, then the last Tor layer is provided by using the Tor browser (which is already setup for Tor SOCKS). So…

            User -> encrypt with VPN -> Tor entry node -> Tor relay nodes > Tor exit node -> VPN tunnel> VPN server -> Tor browser (so Tor entry node -> Tor relay nodes > Tor exit node again) -> internet.

          9. Hi Michele,

            Here is the missing part of your comment:

            “As for the other part: “As usual, the VPN client will encrypt all your internet traffic, but sends it through the Tor network before being directed into a VPN tunnel.”

            Okay, I understood now. Just a slight detail: with this setting, if I use the Tor browser, the data is encrypted locally end-to-end.
            If I, instead, want to use another browser, let’s say Google Chrome, and use the configuration:

            Chrome -> encrypted with VPN -> Tor -> VPN -> Tor -> website

            Then, I *do* need to set up Chrome to use Tor SOCKS. Right?

            As usual, thank you for your patience!”

            – I suppose so, but fail to see why you might want to do this, as the Tor browser is much more secure than Chrome.

          10. Hi Michele,

            Ha ha. Don’t worry, I’m not running out of patience! :).

            “You wrote: “So only the exit node ever sees the unencrypted data before it is decrypted on your desktop by the Tor browser.”

            But in order to accomplish that, the exit node needs to encrypt the message with various layers so that only the receiver (me) can read it, at the end.

            user < - entry node <- relay node <- exit node <- website So the exit node has to: 1. Take the message as it's been received by the website 2. Encrypt it with the "user" key 3. Then encrypt it with the "entry node" key 4. Encrypt it all further with the "relay node" key 5. Send it to the relay node 6. The relay node decrypts it with its own key and sends it to the entry node 7. The entry node decrypt it with its own key and sends it to the user 8. The user finally decrypts it with its own key and has the original receiving message. This way only the exit node and the user can actually see the unencrypted message. But in order to accomplish the points 2.,3. and 4., the exit node has to know the addresses of the entry node and the user too, beyond that of the relay node. How does this works with privacy (with the fact that each node only knows the address of the next node to whom send the message)? " The answer is somewhat complex, but I think think this video explains it well.

          11. Hi Michele,

            But once a relay circuit is established between the Tor browser and the exit node (and from there, any website you visit), the data can flow both ways. As explained in that video, the connection is initiated by your browser, and no one node knows the full circuit.

        2. Thank you, Douglas! The point I was missing was that there are node-to-node TLS keys too. So when a website sends the reply back to the exit node, the exit node sends it to the middle node through their node-to-node key, the middle node sends it to the entry node encrypting it with their own node-to-node key and, finally, the entry node sends it back to the user, encrypting it with the user-entry-node TLS session key.

          Can you just confirm that’s right?

          1. Hi Michele,

            Um. I think each node sends its TLS key back direly to the Tor browser, which decrypts the data using those session keys. The actual data is passed from the exit node to the middle node to entry node. Each node knows where the Browser is becasue the Browser established a TLS connection which each of them when it setup the relay.

          2. Wait! 🙂 As I understood it, only the entry node has directly associated a TLS key with the Tor proxy. The middle(s) and the exit node did not. The middle node only sees data coming from the entry node and going into the exit node. It does not know who sent the data to entry node.

            So, I suppose, upon receiving, it goes like this:

            the exit node receives data, encrypts it with the TLS key (which it think it’s established with the middle node, but in reality it established it with the user. So the middle node can’t decrypt it since only the user has that TLS session key) and sends it to the middle node.

            The middle node encrypt it with its own TLS key and sends it to the entry node.

            The entry node encrypts it with its own TLS key and sends it to the user.

            The user then decrypts it with the entry, middle and exit nodes’ keys and it gets its reply.


          3. Hi Michele,

            Please see this diagram

            – You are correct about “The middle node only sees data coming from the entry node and going into the exit node. It does not know who sent the data to entry node.”

            – But each node re-encrypts the data using the public part of the private/public key pair generated by the Tor browser. This allows the Tor proxy to decrypt each session key using the private key. Each individual node does not need to know anything about the Tor proxy in order for it to encrypt data with the public key.

  17. Ok, help me understand. I connect my PC to my VPN, then I open the TOR browser. At that point:
    1. What can my local ISP see, that I am using a VPN, that I am using TOR, or both, or neither?
    2. What can my VPN provider see? My local IP address, that I am using TOR, or both, or neither?
    3. What can the exit node operator see? The content I am receiving/requesting/sending, but not my identity? or can they see my identity but not the content?

    1. Hi Jerry,

      1. Your ISP will see that you are connected to a VPN server. It will not see that you are also connected to Tor.
      2. Your VPN provider will know your real IP address and that you are connected to Tor. It cannot see your your internet traffic, though, because thi9s is encrypted by the Tor network inside the Tor Browser.
      3. The Tor exit node will see your internet traffic, but (unless you give it away in your traffic) has no way to trace it back to you. Note that this is no different from using Tor without a VPN, except that it adds another layer of protection (the VPN). A bigger difference is that the Tor entry node will not know you real IP address, as it sees the VPN provider’s IP instead.

      (Answer edited to correct an earlier mistake).

    1. Hi Reginaldo,

      When using VPN through Tor the VPN client encrypts your data before sending it to a Tor node. This great, as it means a malicious Tor exit node cannot snoop on your traffic (although your VPN could, if it wished to).

        1. Hi andrew,

          1. Only AirVPN and BolehVPN (that I know of) support VPN through Tor. Neither of these are free.

          2. Any VPN service can be used in Tor through VPN mode. Simply connect to the VPN, then open the Tor Browser. If you wish to access dark net markets then this is the only configuration that will work anyway (unless you VPN through Tor, and then also use the Tor browser for Tor -> VPN ->Tor).

          3. I am going to assume that you are just curious, and do not plan to do anything shady. I would certainly never trust a free VPN for anything if I were to do anything shady…

  18. In VPN through Tor that involves connecting first to Tor, and then through a VPN server to the internet, you say: Your computer -> encrypt with VPN -> Tor -> VPN -> internet

    I just did not understand what you mean by “encrypt with VPN”,
    Could you explain me, please?

    1. Hi Jeff,

      When using VPN through Tor the VPN client encrypts your data before sending it to a Tor node. This great, as it means a malicious Tor exit node cannot snoop on your traffic (although your VPN could, if it wished to).

  19. I have found out that RootVPN is one of the best to keep you anonymous. All VPN providers can look into your data, but with RootVPN you are the only one who can see the logs and also have the rights to remove those logs.

    I use them to have a VPN connection on my Android phone which after that connects to Tor. Works really well.

    1. Hi Alex,

      I am not familiar with Root VPN, but you should be aware that _any VPN provider can keep logs if it chooses to (or is forced to). Many providers’ business models, however, rely on not keeping logs. The fact that Root VPN keeps log that customers can access means that it keeps logs. This is very problematic. Please see 5 Best Logless VPNs for an in-depth discussion on this subject.

  20. Your paragraph, “Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer VPN through Tor via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from VPN through Tor.”

    Is in the “Tor Through VPN” section.

    Was this a mistake. This part of confusing, as it is talking about “VPN through Tor” in the “Tor though VPN” section.

    1. Hi Sam,

      Yes. This is a mistake. Sorry for the confusion, and thanks for flagging it up to me. You are correct, the paragraph (now corrected) should read,

      “Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer Tor through VPN via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from VPN through Tor.”

      1. Hi Douglas,

        Your corrected paragraph:

        “Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer Tor through VPN via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from VPN through Tor.”

        Is there another mistake? Because at the end of the paragraph, you were saying that these VPN services “benefit from VPN through Tor”.

        1. Hi Andy,

          Yes. Thanks. I obviously has a senior moment while writing that paragraph. My apologies for any confusion cased. It is now corrected.

  21. Hello Douglas!
    Great article! I had a few questions and would love if you could answer them.

    1) If using VPN through tor (airvpn for example) could you connect to .onion sites from regular browsers like safari or firefox? If not and the only way is tor browser, then the process is rendered useless because you can still be spied on by malicious exit nodes… so how can you effectively access tor using vpn through tor?

    2) could you sandwich tor? Like do a vm with vpn through tor and then on the host machine run another vpn under an ssl tunnel? This sounds like it would be the most secure configuration.

    3) on that note, unrelated to vpns and such, which OS would you consider most secure (encrypts data, data can be destroyed really fast, idk…)

    thanks a lot!


    1. Hi jj,

      1) No. You cannot connect to a .onion site using a regular browser via VPN through Tor. This configuration is really designed to accessing the regular internet securely.
      2) Yes. Or easier, connect VPN through Tor and then use the Tor browser (Your PC -> Tor -> VPN -> Tor -> internet or .onion site). This would be very slow, however.
      3) Please see my article on Linux distributions built for security and anonymity. Ed Snowden favors Tails. I have not used it myself, but I have heard good things about Kodachi.

  22. thanks for your information.

    I have a question, how much is the network speed affected? for example, i am using a conection of 100Mbps, and i am planning to use the tor -> vpn -> tor setup.

    how much will my speed downgrade? to 60Mbps?

    thanks for your time.

    1. Hi Maracas,

      So I just did some very quick tests using my 50 /3Mbs UK connection (using a powerline adapter):

      No VPN: 34.3/2.9 Mbs – a little slow (don’t know if this is the fault of my powerline adapter or ISP, but doesn’t matter as it’s the relative speeds that count).
      Connected to AirVPN (NL server): 22.8/2.7 Mbs
      Connected Tor -> AirVPN : 3.1/2.1 Mbs
      Connected Tor -> AirVPN -> Tor: 2.8 Mbs / 333 Kbps

      The Tor network is very slow.

  23. Hi guys

    Can you do the following……
    Connect to your VPN…..Then Tor and Then another VPN (One that accepts bitcoin payments)

    This will be slow but from my understanding you are completely encrypted the who way through and a complete Ghost.

    I guess you are never really fully invisible. To set up a bitcoin wallet you will most likely need a gmail account and a mobile phone number so there are always possibily ways of tracking you down but I here the VPN to TOR to VPN although very slow is a very good way to be 99.9999% an encrypted cyber ghost. Any opinions 🙂

  24. Hi Douglas

    I am actually using NordVPN but i am really confused about the use of Tor over VPN feature they offer …i did talk to live chat support and the guy told me that if i am connected to the Tor over VPN server i cannot use the Tor browser (have a screenshot of the chat)…
    This is confusing cause when i did buy the license the support told me that first i need to connect to the VPN and then to Tor,then was viceverse …i dont know to who i should believe …
    or change to another VPN provider …
    Did try to contact to the Tor project but cannot see any e-mail address for contact them.

    Thanks and have a nice day !!!

    1. Hi Andreas,

      It does sound like NordVPN’s support staff is rather confused. Please not that I do not currently have a NordVPN subscription with which to test the setup. It is not very well explained, but in the comments of its Tor over VPN webpage, however, Admin explains that,

      “Please download this config file if you are using Mac, Linux or Windows old software: If you are using our latest Windows software please accept the update and then you will see the “Tor over VPN” in the server list.”

      It therefore seems that you need to use generic the OpenVPN client, rather than NordVPN’sd custom software. I see no reason why you cannot also use the Tor Browser. This will mean, however, that you traffic passes through the Tor network twice, so will have big impact on your speed.

      As I discuss in the article above, it is worth noting that connecting to the VPN then using the Tor Browser is more secure than using NordVPNs Tor over VPN setup.

      If you still want help from Tor, this page outlines Tor support options.

  25. I was curious about the exit nodes. I use PIA for my VPN. Using VPN –>Tor , and my VPN settings include Data Encryption -AES-256, Data Authentication-SHA-256, Handshake RSA-4096 do I still have to worry ” as much ” about “unencrypted” exit nodes? I still realize if the NSA wanted to know they would, but in general?

    1. Hi Jericho,

      Your traffic will only be encrypted by the VPN while traveling between your computer and the VPN server. When leaving the VPN server to enter the Tor network it will be decrypted by the VPN server before being encrypted by Tor. Using VPN –>Tor does not provide any additional protection when using Tor except hiding from your ISP that you are using Tor, hiding your true IP address from the entry node, and providing an extra barrier for an attacker to overcome when tracking you.

  26. Hi Douglas,

    I’m using Tor through VPN for a while, and I need some help. I want to prevent traffic analysis, but I’m not sure how to do it properly. I need a simple but proper way. In my example I visit a website (can’t visit it from a public wi-fi, only from home through my ISP), I click on some links or images, etc… Let’s assume that someone is watching that server, and they can check the exact times of the clicks from the server logs or from the database entries. And later they can compare it with the logs from my ISP. So they won’t see the exact traffic, only encrypted stuff, but the will see that I had outgoing traffic or request exactly when something happened on the website. So sooner or later they’re gonna have enough traffic analyzed to be sure that I was doing those clicks. My question is: is there any way to generate some non-Tor traffic through the VPN which can help to obfuscate things and can prevent from end-to-end timing analysis while I’m using that website? For example some online games which sends end receives traffic constantly? Or anything better? What would you recommend? Thanks for your help!

    1. Hi Mandre,

      As I am sure you are aware, you are describing a classic end-to-end timing attack. I really hope that you are not doing anything very illegal. In theory, anyone watching a website will be unable to trace you back to your ISP, because not only is your connection protected by a VPN, but it is randomly routed through at least 3 Tor nodes. Even if you were traced back to the VPN provider (unlikely by anyone except perhaps a global adversary), almost all VPNs use shared IPs. This makes traffic analysis very hard (but not completely impossible).

      The simplest way to generate both Tor and non-Tor traffic when using your VPN is to connect to the VPN service, and then run the Tor browser inside a Virtual Machine. If you also visit websites using your regular browser (outside the VM), then you will generate non-Tor VPN traffic in addition to the Tor traffic generated when using the Tor browser in side the VM.

  27. for connection VPN through TOR. could you comment whether Express VPN will works with this set up…?

    I know express VPN connection is fast when it run as stand alone. but when express VPN connection through TOR …. would it stay fast that way or at least better than AirVPN or BolehVPN…?

    1. Hi zery,

      ExpressVPN does not support VPN though Tor – only AirVPN and BolehVPN do (that I know of). You can use Tor through VPN with any VPN provider (including ExpressVPN) by connecting to the VPN, then using the Tor browser. Whichever setup you use, the (slow) speed of the Tor network will be a much bigger factor than that of your VPN provider.

    1. Hi sabé,

      Any VPN can be used for Tor through VPN simply by starting the VPN then using the Tor Browser. As discussed in the article, this is more secure than using a VPN that offers VPN through Tor via an OpenVPN configuration file. So if you want to try both configurations, you are pretty much limited to AirVPN and BolehVPN. Please see here, for example, for AirVPN’s take on both configurations.

  28. The introduction notes that Tor is not suitable for P2P. Is there any combination of Tor, VPN and other browser which is suitable for P2P but still enables anonymous surfing and downloading?

    1. Hi Alex,

      Tor is never suitable for P2P because not only is it very slow, but:

      – Using P2P slows down the network for all other Tor users (many of whom rely on Tor for reasons related to human rights, and whose internet connection is very basic in the first place!)
      – Volunteers who run Tor exit nodes can be held accountable for copyright abuses traced to their IP addresses.

      It is therefore considered extremely bad form to torrent using Tor (a point that probably also applies to attempts to stream content). Simply using a P2P-friendly VPN service normally provides more than sufficient privacy while downloading and surfing the web, and is what I recommend. If you really need true anonymity while downloading, the I2P anonymity network is what you are looking for.

  29. Is this Swedish VPN service use of VPN trough TOR via the use of an OpenVPN configuration file as it seems to me or is it as AirVPN and BolehVPN type of implementation?

  30. Thank you for the article.

    Are there other sequences of connections which could help with privacy or anonymity? For instance, is it advantageous and possible to connect through VPN > TOR > VPN ? If so there seems to be a myriad of potential sequences at a user’s disposal.

    Is there an estimate of the number of TOR nodes? Correct me if I’m wrong, but a malicious organization which wanted to monitor traffic would need to create/control a certain number of nodes to increase their probability of being the exit node. It’s just a matter of statistics right?

    1. Hi Learning,

      1). Yes, other configurations are possible, although these come with ever increasing trade-offs with usability. It is very easy, for example, to connect Tor -> VPN, then use the Tor browser to acees the internet (Tor -> VPN -> Tor).
      2. Well – simply controlling an exit node is of limited as data is encrypted between each node, and as all data passes between at least 3 random nodes so decrypting and tracing the data is all but impossible. However, it is theoretically possible that a powerful enough entity (such as the NSA) could control enough Tor nodes to perform a successful end-to-end timing attack. This would be a monumental and highly specific undertaking, though.

  31. VPN > Tor is the most secure and standard practice of this. The tried and tested method of everyone on the tor network. If you want to get around TOR exit node blocks or temporarily hide the fact your using TOR from websites is to go VPN>TOR>Proxy and a lot of people do that as well and it’s easy to mod in the config file. Best method just pick a nice proxy that switches around IPs a lot or passes you out of different points in a chain and used by lots of different people to help obscure you even more. Just use it only when needed. VPN>TOR most of the time FTW.

    Also the harvard idiot got caught because he had to log into account under his name on their wifi and the US is overbearing and follows no laws like a idiot.

  32. Contradictory statements:

    “So which is better?

    VPN through Tor is usually considered more secure because (if the correct precautions are taken) it allows true anonymity – not even your VPN provider knows who you are. It also provides protection against malicious Tor exit nodes, and allows you to evade censorship via blocks on Tor exit nodes.”


    “VPN through Tor provides no protection against malicious exit nodes and is still subject to censorship measures that target Tor users, but does mean that your VPN provider cannot see your internet traffic content…”

    Contradict each other.

    1. Hi Sajah,

      Good catch – thanks! I obviously suffered a moment of confusion. As the context should clearly show, I meant to write “Tor through VPN in the second instance. I have now corrected this.

  33. How exactly do you set up the VPN through Tor method? Would you mind linking to a tutorial or a place to start? I don’t want to go about this the wrong way. Thank you!

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
Exclusive Offer
Get NordVPN for only
Exclusive Offer
Get NordVPN for only