How to Use a VPN and Tor together

Although in many ways very different, both VPN and the Tor anonymity network use encrypted proxy connections in order to hide users’ identities they can be used together. Using a VPN and Tor can together provides an extra layer of security and to mitigate some drawbacks of using either technology exclusively. In this guide we show you how to use both Tor and a VPN together.

 

If you are new to Tor browser or maybe you want more information about it, then take a look at the guides listed below:

  • What VPN to use? - if you don't already have a VPN service and you aren't sure where to start, check out our Tor VPN article for a list of recommendations and some helpful tips on using them together.
  • What is better? - if you are looking to see what software is better and the pros and cons of using each service, then check out our Tor vs VPN guide for more information about this.
  • Everything about Tor Browser - if you want details on how Tor works, how to install it, how to use it (without a VPN), and more, take a look at our ultimate Tor browser guide.

 

Tor through VPN

In this configuration you connect first to your VPN server, and then to the Tor network before accessing the internet:

Your computer -> VPN -> Tor -> internet

Although some of the providers listed above offer to make such a setup easy, this is also  what happens when you use the Tor Browser or Whonix (for maximum security) while connected to a VPN server, and means that your apparent IP on the internet is that of the Tor exit node.

Pros:

  • Your ISP will not know that you are using Tor (although it can know that you are using a VPN)
  • The Tor entry node will not see your true IP address, but the IP address of the VPN server. If you use a good no-logs provider this can provide a meaningful additional layer of security
  • Allows access to Tor hidden services (.onion websites).

Cons:

  • Your VPN provider knows your real IP address
  • No protection from malicious Tor exit nodes. Non-HTTPS traffic entering and leaving Tor exit nodes is unencrypted and could be monitored
  • Tor exit nodes are often blocked
  • We should note that using a Tor bridge such as Obfsproxy can also be effective at hiding Tor use from your ISP (although a determined ISP could in theory use deep packet inspection to detect Tor traffic).

Important note: Some VPN services (such as NordVPN, Privatoria and TorVPN) offer Tor through VPN via an OpenVPN configuration file (which transparently routes your data from OpenVPN to the Tor network). This means that your entire internet connection benefits from Tor through VPN.

Please be aware, however, that this is nowhere near as secure as using the Tor browser, where Tor encryption is performed end-to-end from your desktop to the Tor servers.  It is possible that with transparent proxies your VPN provider could intercept traffic before it is encrypted by the Tor servers. The Tor Browser has also been hardened against various threats in a way that your usual browser almost certainly has not been.


VPN and Tor

For maximum security when using Tor through VPN you should always use the Tor browser

VPN through Tor

This involves connecting first to Tor, and then through a VPN server to the internet:

Your computer -> encrypt with VPN -> Tor -> VPN -> internet

This setup requires you to configure your VPN client to work with Tor, and the only VPN providers we know of to support this are AirVPN and BolehVPN . Your apparent IP on the internet is that of the VPN server.

Pros

  • Because you connect to the VPN server through Tor, the VPN provider cannot ‘see’ your real IP address – only that of the Tor exit node. When combined with an anonymous payment method (such as properly mixed Bitcoins) made anonymously over Tor, this means the VPN provider has no way of identifying you, even if it did keep logs
  • Protection from malicious Tor exit nodes, as data is encrypted by the VPN client before entering (and exiting) the Tor network (although the data is encrypted, your ISP will be able to see that it is heading towards a Tor node)
  • Bypasses any blocks on Tor exit nodes
  • Allows you to choose server location (great for geo-spoofing)
  • All internet traffic is routed through Tor (even by programs that do not usually support it).

Cons

  • Your VPN provider can see your internet traffic (but has no way to connect it to you)
  • Slightly more vulnerable to global end-to-end timing attack as a fixed point in the chain exists (the VPN provider).

This configuration is usually regarded as more secure since it allows you to maintain complete (and true) anonymity.

Remember that to maintain anonymity it is vital to always connect to the VPN through Tor (if using AirVPN or BolehVPN this is performed automatically once the client has been correctly configured). The same holds true when making payments or logging into a web-based user account.

Malicious Exit Nodes

When using Tor, the last exit node in the chain between your computer and open internet is called an exit node. Traffic to or from the open internet (Bob in the diagram below) exits and enters this node unencrypted. Unless some additional form of encryption is used (such as HTTPS), this means that anyone running the exit node can spy on users’ internet traffic.


Tor-onion-network exit node

This is not usually a huge problem, as a user’s identity is hidden by the 2 or more additional nodes that traffic passes through on its way to and from the exit node. If the unencrypted traffic contains personally identifiable information, however, this can be seen by the entity running the exit node.

Such nodes are referred to as malicious exit nodes, and have also been known to redirect users to fake websites.

SSL connections are encrypted, so if you connect to an SSL secured website (https://) your data will be secure, even it passes through a malicious exit node.

bestvpn https

End-to-end Timing Attacks

This is a technique used to de-anonymize VPN and Tor users by correlating the time they were connected, to the timing of otherwise anonymous behavior on the internet.

An incident where a Harvard bomb-threat idiot got caught while using Tor is a great example of this form of de-anonymization attack in action, but it is worth noting that the culprit was only caught because he connected to Tor through the Harvard campus WiFi network.

On a global scale, pulling off a successful e2e attack against a Tor user would be a monumental undertaking, but possibly not impossible for the likes of the NSA, who are suspected of running a high percentage of all the world public Tor exit nodes.

If such an attack (or other de-anonymization tactic) is made against you while using Tor, then using VPN as well will provide an additional layer of security.

So which is better?

VPN through Tor is usually considered more secure because (if the correct precautions are taken) it allows true anonymity - not even your VPN provider knows who you are. It also provides protection against malicious Tor exit nodes, and allows you to evade censorship via blocks on Tor exit nodes.

You should be aware, however, that if an adversary can compromise your VPN provider, then it controls one end of the Tor chain. Over time, this may allow the adversary to pull off an end-to-end timing or other de-anonymization attack. Any such attack would be very hard to perform, and if the provider keeps logs it cannot be performed retrospectively, but this is a point the Edward Snowden’s of the world should consider.

Tor through VPN means that your VPN provider knows who you are, although as with VPN through Tor, using a trustworthy provider who keeps no logs will provide a great deal of retrospective protection.

Tor through VPN provides no protection against malicious exit nodes and is still subject to censorship measures that target Tor users, but does mean that your VPN provider cannot see your internet traffic content…

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

144 Comments

  1. Look...

    on October 12, 2019
    Reply

    Look, the solution seems simple in theory, but most vpn providers make it difficult in practice. What you need is to connect online through 1 VPN then start up Tor browser, and then use a DIFFERENT VPN at the other end. The VPN at the other end needs to be a web VPN that you connect to through the tor browser to make sure theres no way it has a sneaky way of knowing your real ip which it could do as soon as you install it SURELY?! So how it that in any way trustworthy?!!! Most VPN providers seem too stupid to realise the neccessity of a web vpn at the other end though and make you install stupid software. It is no good installing 2 VPNS and having them run at the same time as they will probably conflict with each other and could undermine the whole process! I don't see how using the proposed method here of VPN through Tor will stop the VPN potentially knowing who you are as it is involved at both the beginning and end of the process so how do you know if you have their non open source software installed that it doesn't have a log of your ip address at the beginning and at the end?! This just seems stupid and is not even a simple example of what I would think of VPN through Tor to be as an extra layer of complication has been added in this article which has confused things. To keep it simple it should be... 1 - Tor through VPN = VPN>Tor>Internet 2 - VPN through Tor = Tor>VPN> Internet What I propose is a 3rd alternative. The only trustworthy 1 as I can see. VPN1>Tor>VPN2>Internet This article however sort of suggests number 2 is number 3 without actually labelling it as such and by using the same vpn at both ends (security risk) - And then not properly explaining why they have added the VPN to the beginning as well. Can someone please tell me I'm right here cos this is driving me mad that nothing I else I read seems to realise that my way is the way it needs to be which means theres little infratstructure to allow it unless i'm missing a brilliant web vpn out there that is trustworthy and has a good reputation (and free ideally) - Express VPN seems to offer a firefox browser extension which I guess could be installed in firefox but again how do you know it isn't accessing info it shouldn't or is gonna connect in the wrong order or is gonna conflict with the other vpn, or knows info it shouldn't know (maybe cos it doesn't even realise it shouldn't know it!) - There are none of these concerns with a web vpn as all it knows is what any other website knows about you when you connect through Tor! - Next to nothing!

    1. Douglas Crawford replied to Look...

      on October 16, 2019
      Reply

      Hi Look... I'm not quite sure where to start here. By "web VPN" I take it you mean a browser proxy? Please understand that "web VPN" server can still see your real IP, just like any real VPN server can. You can connect Tor through VPN simply by connecting to any VPN service, then accessing the internet using Tor Browser. The VPN will know who you are, but it can't see what you get up to because that is protected by Tor Browser. The added VPN at the beginning is because for this to work you need to tunnel all traffic through the VPN tunnel in the first place (that's how real VPNs work). This prevents the entry node from knowing your real IP and makes it hard to trace internet activity back up the line to you real IP address. Instead it can only be traced back to your VPN provider. How useful this depends on how trustworthy your VPN povider is.

  2. Pete

    on September 17, 2019
    Reply

    I am a novice in tech and long and frequent visits to Russia have made me wary of tracking and eavesdropping. I just bought 12 months of nordvpn service and then downloaded TOR (on Android device). The TOR browser is struggling to set itself up.... I have colleagues who can help me get it configured later. I found your article very helpful and wanted to comment to express my gratitude. I will reread it after some coffee and nicotine 😲.... so I don't miss any important points +1 to you Sir. Great article.

  3. hola

    on June 19, 2019
    Reply

    strange i am using tor browser now, but i cannot comment here and this happens a lot around the net i also get messages saying that there has been suspicious activity on my ip then when i use tor browser and more

    1. Douglas Crawford replied to hola

      on June 21, 2019
      Reply

      Hola, hola (sorry, I couldn't resist!). The problem is that some people use Tor to hide their IP address while performing abusive behavior, and then, unsurprisingly, that IP gets banned because if it. I'll just note that your message did arrive - it's just that we moderate all comments before they are published on this site. Which I think is what happened here. We certainly don't mean to block Tor users, and if that is actually happening then I'll flag with our devs so it can get fixed.

  4. Asal

    on April 17, 2019
    Reply

    Hello Douglas I live under an anti-humanitarian regime in Iran. I am launching a website on a web service outside of Iran When I want to buy a foreign web designer from Iran. The answer is because your country is under sanctions.(they recognize my IP address) You can not manage it in Iran. In Iran, due to insecurity, I can not buy a local web host. To manage the website on the Web service outside of Iran What are you suggesting Composition,VPN and Tor. To keep secret from the Iranian government and web server thank you

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: