VPN deals Advertisement

How to Use a VPN and Tor together

Although in many ways very different, both VPN and the Tor anonymity network use encrypted proxy connections in order to hide users’ identities (VPN is useful for much more than this, but privacy is a core feature of the technology).

We also have an expanded version of this article which examines some VPN providers that offer Tor functionality as part of their service.

  • VPN is faster than Tor, and is suitable for P2P downloading. The major downside (and reason VPN is said to provide privacy rather than anonymity) is that it requires you trust your VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.
  • Tor is much slower, is often blocked by websites, and is not suitable for P2P, but it does not require that you trust anybody, and is therefore much more truly anonymous.

The cool thing is that VPN and Tor can be used together in order provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside of doing so combines the speed hit of both technologies, making connecting in this way secure… but slow.

It is also important to understand the difference between connecting to Tor through VPN and connecting to VPN through Tor…

Tor through VPN

In this configuration you connect first to your VPN server, and then to the Tor network before accessing the internet:

Your computer -> VPN -> Tor -> internet

Although some of the providers listed above offer to make such a setup easy, this is also  what happens when you use the Tor Browser or Whonix (for maximum security) while connected to a VPN server, and means that your apparent IP on the internet is that of the Tor exit node.

Pros:

  • Your ISP will not know that you are using Tor (although it can know that you are using a VPN)
  • The Tor entry node will not see your true IP address, but the IP address of the VPN server. If you use a good no-logs provider this can provide a meaningful additional layer of security
  • Allows access to Tor hidden services (.onion websites).

Cons:

  • Your VPN provider knows your real IP address
  • No protection from malicious Tor exit nodes. Non-HTTPS traffic entering and leaving Tor exit nodes is unencrypted and could be monitored
  • Tor exit nodes are often blocked
  • We should note that using a Tor bridge such as Obfsproxy can also be effective at hiding Tor use from your ISP (although a determined ISP could in theory use deep packet inspection to detect Tor traffic).

Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer Tor through VPN via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from Tor through VPN.

Please be aware, however, that this is nowhere near as secure as using the Tor browser, where Tor encryption is performed end-to-end from your desktop to the Tor servers.  It is possible that with transparent proxies your VPN provider could intercept traffic before it is encrypted by the Tor servers. The Tor Browser has also been hardened against various threats in a way that your usual browser almost certainly has not been.

VPN and Tor

For maximum security when using Tor through VPN you should always use the Tor browser

VPN through Tor

This involves connecting first to Tor, and then through a VPN server to the internet:

Your computer -> encrypt with VPN -> Tor -> VPN -> internet

This setup requires you to configure your VPN client to work with Tor, and the only VPN providers we know of to support this are AirVPN and BolehVPN . Your apparent IP on the internet is that of the VPN server.

Pros

  • Because you connect to the VPN server through Tor, the VPN provider cannot ‘see’ your real IP address – only that of the Tor exit node. When combined with an anonymous payment method (such as properly mixed Bitcoins) made anonymously over Tor, this means the VPN provider has no way of identifying you, even if it did keep logs
  • Protection from malicious Tor exit nodes, as data is encrypted by the VPN client before entering (and exiting) the Tor network (although the data is encrypted, your ISP will be able to see that it is heading towards a Tor node)
  • Bypasses any blocks on Tor exit nodes
  • Allows you to choose server location (great for geo-spoofing)
  • All internet traffic is routed through Tor (even by programs that do not usually support it).

Cons

  • Your VPN provider can see your internet traffic (but has no way to connect it to you)
  • Slightly more vulnerable to global end-to-end timing attack as a fixed point in the chain exists (the VPN provider).

This configuration is usually regarded as more secure since it allows you to maintain complete (and true) anonymity.

Remember that to maintain anonymity it is vital to always connect to the VPN through Tor (if using AirVPN or BolehVPN this is performed automatically once the client has been correctly configured). The same holds true when making payments or logging into a web-based user account.

Malicious Exit Nodes

When using Tor, the last exit node in the chain between your computer and open internet is called an exit node. Traffic to or from the open internet (Bob in the diagram below) exits and enters this node unencrypted. Unless some additional form of encryption is used (such as HTTPS), this means that anyone running the exit node can spy on users’ internet traffic.

Tor-onion-network exit node

This is not usually a huge problem, as a user’s identity is hidden by the 2 or more additional nodes that traffic passes through on its way to and from the exit node. If the unencrypted traffic contains personally identifiable information, however, this can be seen by the entity running the exit node.

Such nodes are referred to as malicious exit nodes, and have also been known to redirect users to fake websites.

SSL connections are encrypted, so if you connect to an SSL secured website (https://) your data will be secure, even it passes through a malicious exit node.

bestvpn https

End-to-end Timing Attacks

This is a technique used to de-anonymize VPN and Tor users by correlating the time they were connected, to the timing of otherwise anonymous behavior on the internet.

An incident where a Harvard bomb-threat idiot got caught while using Tor is a great example of this form of de-anonymization attack in action, but it is worth noting that the culprit was only caught because he connected to Tor through the Harvard campus WiFi network.

On a global scale, pulling off a successful e2e attack against a Tor user would be a monumental undertaking, but possibly not impossible for the likes of the NSA, who are suspected of running a high percentage of all the world public Tor exit nodes.

If such an attack (or other de-anonymization tactic) is made against you while using Tor, then using VPN as well will provide an additional layer of security.

So which is better?

VPN through Tor is usually considered more secure because (if the correct precautions are taken) it allows true anonymity - not even your VPN provider knows who you are. It also provides protection against malicious Tor exit nodes, and allows you to evade censorship via blocks on Tor exit nodes.

You should be aware, however, that if an adversary can compromise your VPN provider, then it controls one end of the Tor chain. Over time, this may allow the adversary to pull off an end-to-end timing or other de-anonymization attack. Any such attack would be very hard to perform, and if the provider keeps logs it cannot be performed retrospectively, but this is a point the Edward Snowden’s of the world should consider.

Tor through VPN means that your VPN provider knows who you are, although as with VPN through Tor, using a trustworthy provider who keeps no logs will provide a great deal of retrospective protection.

Tor through VPN provides no protection against malicious exit nodes and is still subject to censorship measures that target Tor users, but does mean that your VPN provider cannot see your internet traffic content…

VPN and Tor Conclusion

Whichever configuration you choose, combining VPN and Tor will improve your privacy and security, and goes some way towards addressing weakness in using either technology as a stand-alone solution.

I do, however, encourage any user who requires a very high level of security to carefully weigh up the pros and cons of each setup in relation to their particular needs. Under most circumstances, for example, using VPN through Tor provides almost perfect anonymity, but the fact that the VPN acts as a fixed end-point for Tor does mean that under some circumstances such a setup could potentially become a liability.

It is also worth remembering that any VPN user can run Tor through VPN simply by running the Tor Browser after their VPN connection has been established (and this is more secure than using the transparent proxy method offered by NordVPN , Privatoria and TorVPN ).

Written by: Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

134 Comments

  1. Alex
    on August 23, 2018
    Reply

    Hello, I have Nordvpn installed on my PC. How can i set up Nordvpn to configure the VPN client to work with Tor?

    1. Douglas Crawford replied to Alex
      on August 23, 2018
      Reply

      Hi Alex, Simply choose one of NordVPN's special Tor connections from the server list in the client (Countries -> Specialty Servers -> Onion Over VPN), or start the VPN as normal and then surf the internet using Tor Browser.

  2. Anon
    on July 12, 2018
    Reply

    I have AirVPN and wish/need maximum privacy/security. Your article states that "VPN through Tor is usually considered more secure" and in my case I beleive this will best suit needs. I am a bit confused, but I think "VPN through Tor" means that I must operate in accordance with the following sequence:- 1. First connect to AirVPN. 2. Then start Tor Browser. 3. Then communicate as required. 4. Then close out Tor Browser. 5. Then close out AirVPN. Is that correct? Thanks in advance (for clarifying).

    1. Douglas Crawford replied to Anon
      on July 13, 2018
      Reply

      Hi Anon, No. You enable AirVPN's VPN through Tor feature (Tor -> VPN) in its client. According to AirVPN's own documentation: This connection mode works ONLY with AirVPN Client, because our software talks to Tor Control to detect and route correctly the guard(s) IP addresses. Otherwise an infinite connection loop occurs because communication between Tor and the guard node (the first node of each circuit) will fall back to the VPN (causing errors like Inactivity timeout, recv_socks_reply: TCP port read timeout expired: Operation now in progress, Assertion failed at misc.c:785). Warning: not compatible with Network Lock at the moment. -Download and launch Tor browser bundle - Set Tor as connection mode in AirVPN -> Preferences, press the Test button. If there is some problem, refer to the section Tor Control authentication below.

  3. Abdullah
    on July 2, 2018
    Reply

    This is so useful article. Thank you for your effort. I have few question. I'm planing to use tails in Virtual machine. Yes i do know the risk of data recovery or malware. My system is ok i know how to utilize it. But first of all i dont want to be flagged by local isp/government. So my question is if i use vpn in my host machine, does vpn will know everything where i'm going to? if i use https everyhwere in the browser and if i'm careful enought about my fingerprint in Social media in tor can i be traced somehow? The purpose of using tor is to speak against oppression. i also need to know sites like facebook / twitter how much they assist with oppressive government against leftist/free thinker's id? do they give every data? or just last ip.. Thanks.

    1. Douglas Crawford replied to Abdullah
      on July 2, 2018
      Reply

      Hi Abdullah, 1. Running Tails inside a VM with a VPN on the host machine creates a Tor though VPN setup with all your data encrypted by Tor browser before it enters the VPN tunnel. The VPN provider will see the IP of the Tor entry node, but cannot see your data or what you do on the internet after that. 2. I'm not sure how you can be "careful enough" about your fingerprint. Note that using browser add-ons such as HTTPS Everywhere is not recommended with Tor browser as they make it more unique and thus more susceptible to browser fingerprinting. Also remember that social media accounts are usually not very useful unless people know who you are. 3. Facebook and Twitter will probably assist US government requests for data, and may assist with foreign requests if they can be persuaded of the merits of the case. They are unlikely to assist with purely political requests but may help to catch terrorists and pedophiles if presented with sufficient evidence. Facebook and Twitter retain all your data.

  4. Dragan
    on April 25, 2018
    Reply

    Hi Douglas Two days ago, on Twitter, I have answered to one TorProject customer that is very usual when we use VPN with Tor (like this ISP-VPN-TOR). At this moment, The TorProject sent me one large answer about this theme; I have enclosed here: https://twitter.com/torproject/status/985993499324563456?s=12 The TorProject.org write here that is not so ideal to use VPN with Tor, or with some own risk. What you this about this comment?

    1. Douglas Crawford replied to Dragan
      on April 27, 2018
      Reply

      Hi Dragan, There are pros and cons. It is true that in Tor through VPN yu place trust in the VPN provider, but this always true with VPNs. On the other hand, a good VPN puts another layer between you an adversary.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.