When it comes to protecting your privacy online, VPNs are the most commonly-used weapon. According to an August 27, 2018 report by GO-Globe.com nearly 25% of Internet users had used a VPN at least once in the preceding 30 days. Given Statista.com’s count of almost 4 billion Internet users in 2018, we’re talking about over 400 million people using VPNs.
In 2020, more people than ever are using the internet, and with the nasty COVID-19 forcing many to work from home, a VPN is an important tool in your privacy-protection arsenal.
But VPNs aren’t the only weapon regular people are using in this fight. Tor, the anonymity network originally developed by the United States Naval Research Lab, has a big audience too. Exact numbers are difficult to come by (it is an anonymous network after all), but the Tor Project’s Tor Metrics page consistently shows around 2 million users per day.
Tor and VPNs have complementary strengths and weaknesses. Privacy advocates have long considered and disagreed about, the benefits of using Tor and a VPN together.
In this article, we’ll take a quick look at how Tor and VPNs work. We’ll also take a quick look at the controversy over using the two together and exactly how that should be done. And we’ll wrap it up with a guide to installing and using our recommended configuration.
- Step 1: Get a recommended VPN:
- Step 2: Launch your VPN
- Step 3: Download and install Tor Browser:
- Step 4: Run Tor over VPN for ultimate privacy
What is Tor?
Tor, which stands for “The Onion Router,” is a free and open source network designed to provide anonymity for its users. Data passes between your computer and the Internet through a series of thousands of volunteer-run Relays (servers) that hide the user’s identity and location from anyone monitoring Internet traffic.
Tor protects its user’s privacy, but some websites block connections from any Relays known to be part of the Tor network. Governments and other global adversaries may be able to monitor the known entrances (Guard Relays) and exits (Exit Relays) of the Tor network to attempt to de-anonymize users.
What is a VPN?
A VPN (Virtual Private Network) is a service that provides an encrypted connection from your computer to servers in the VPN network. The VPN server then connects to the target website and relays data between your computer and the target. As far as the target site can tell, it is communicating with the VPN server and not with your computer.
Because many VPNs have servers located in dozens of countries throughout the world, you can use a VPN to appear to be located in another country, and access sites that are not available in your actual location.
Similar to Tor, there are sites that block VPN access.
Understanding the Different Strengths and Weaknesses of Tor and VPNs
While both Tor and VPNs help to protect your privacy online, the differences in the way they function give them different strengths and weaknesses. Understanding these differences will help when we get to the discussion of whether and how to use Tor and a VPN together.
Let’s start by looking at Tor’s strengths and weaknesses.
Tor’s Strengths and Weaknesses
Tor is good at providing anonymity without the need to trust anyone. No Relay in the network knows the complete path between your computer and the target website. This prevents individual Relays in the network from breaking your anonymity.
The biggest privacy weakness of Tor is that it is possible to monitor your computer and try to correlate the timing of traffic between your computer and Exit Relays. Statistical analysis could then possibly identify you.
Another weakness is that most Exit Relays are at known IP addresses. This allows websites to block access from those addresses.
A different kind of Tor weakness is that your ISP can see that you are using Tor. Governments and intelligence services likely consider the use of Tor to be suspicious.
Finally, because Tor requires multiple levels of encryption, and hops between at least three computers scattered around the world, it is slow. That is, browsing using Tor is much slower than connecting directly to the target website.
VPN’s Strengths and Weaknesses
VPNs are good at protecting your privacy without having a major impact on your browsing speed. The best ones use military-grade encryption while only reducing your browsing speed by 10% or less. They also incorporate a kill switch or other techniques to ensure that your data is not exposed if the VPN connection fails for some reason.
When you use a VPN, your ISP and anyone else snooping on your connection can see that you are connected to the VPN. But they can’t see the data passing through the VPN or what you are connected to. So you are safe from everyone, except your VPN provider.
The biggest weakness with a VPN is that the VPN provider can see where you go and what you do online. After all, it is their software that encrypts your connection and routes it to the destination. While a VPN can see this information if they wish, a good VPN will normally keep track of as little of this information as possible.
Exactly what information a VPN needs to log and how long it needs to keep it to function properly is an open question. But the best privacy-oriented VPNs will log as little information as possible for as short a time as practical.
In particular, they will keep no connection logs. Connection logs don’t include information on which sites you visit, but they still contain enough information that they can be used to identify you.
But any VPN has the potential to record this information and can be forced to do so by the authorities in the country where the VPN service is physically located.
As someone once put it, “no VPN provider is going to go to prison to protect a $20/month subscriber.”
You can minimize this risk but not eliminate it. VPNs are based in many different countries around the world. Using a VPN that is based in a country with strong privacy protections can reduce the risk that a VPN would be required to turn over logs with your data.
Why Would You Use Tor and a VPN Together?
As we just discussed, Tor and VPNs both have their own strengths and weaknesses. It seems that using them together might be a way to leverage their strengths and minimize their weaknesses. Even so, some influential privacy experts have argued against doing so.
We think it does make sense to use Tor and a VPN together, but it makes sense to spend a few minutes looking at the arguments for and against doing so. Then you can decide if you agree with our proposed solution or not.
Arguments against Using Tor and a VPN Together
One big argument against using Tor and a VPN together is that it slows you down. Browsing with a good VPN will likely be around 10% slower than not using a VPN. Browsing with Tor will be significantly slower than not using Tor. A VPN together with Tor will be slower yet.
The other drawbacks vary depending on how you set things up. You can take the Tor over VPN approach, or the VPN over Tor approach. The developers of the Tails Operating System (which uses Tor by default) are opposed to using a VPN with Tails except in very specific circumstances.
Likewise, the Tor Project team advises setting up something called a Tor Bridge as an anonymous entry point into the Tor network.
In both these cases, the idea is that a VPN is not a true anonymous service since the VPN provider does have identifying information about you. In other words, you need to be able to trust your VPN.
Arguments for Using Tor and a VPN Together
The arguments for using Tor and a VPN together look at the ways that using both together can address some of the weaknesses of each. For example, Tor alone could be vulnerable to attacks on its Exit Relays, while a VPN alone is vulnerable to men with guns showing up at its offices and demanding information.
To get more specific about the arguments for (and against) using Tor and a VPN together, we need to look at the two ways of doing so: Tor over VPN, and VPN over Tor.
Using Tor over a VPN
In the Tor over VPN approach, you start your VPN before you connect your browser to the Tor network. For simplicity, we will assume that you are using the Tor Browser (the browser) for the most secure connection to Tor and that you want to visit the xyz.com website.
- First, you start the VPN. This establishes an encrypted connection between your computer and a VPN server. Your ISP knows your IP address and can see that you are connected to a VPN, but can’t read the data that passes along the encrypted VPN connection.
- Next, you start the Tor Browser and enter the address of xyz.com. The browser establishes a path through the Tor network and encrypts the data it is sending to xyz.com. The VPN can see that the browser is sending encrypted data to a Tor Guard Relay.
- The data passes through the VPN network and exits through the VPN server. The data is still protected by the encryption from the browser.
- The VPN server passes the data to the Tor network. It enters a Guard Relay, which thinks the message originated at the VPN server. The Guard Relay strips off the outermost layer of encryption and passes the message to a Middle Relay.
- The Middle Relay strips off the next layer of encryption and passes the message to an Exit Relay.
- The Exit Relay strips off the final layer of Tor encryption and sends the data to xyz.com. The Exit Relay can read the content of the message but doesn’t know the origin IP address.
Data passing from xyz.com to your browser follow the reverse route.
Pros and Cons of using Tor over a VPN
|This is easy to implement||Your VPN will see that you are using Tor|
|Your ISP won’t know you are using Tor||If your VPN drops your use of Tor could be visible|
|Your IP address won’t be visible at the Exit Relay||Your data will be unencrypted at the Exit Relay|
|Tor sees your traffic as originating at the VPN, not your IP address||If your VPN keeps logs, those logs could be used to reveal your IP address|
|An attacker needs to get past both Tor and your VPN||Using Tor and a VPN together is slower than using one or the other|
|Your data is encrypted before the VPN can see it||Using Tor over a VPN won’t help you if the Tor Exit Relay is blocked|
|You still have access to Tor’s Onion Services|
One last thing to consider. VPN providers have strong incentives to protect your privacy. ISPs have much less incentive and are easily subject to government pressure to record your activities and turn over records about you. In the United States, ISPs can legally gather and sell information about your online activities without your consent.
The Tor over VPN approach relies less on the trustworthiness of your ISP and more on that of your VPN provider.
Using a VPN over Tor
In a VPN over Tor setup, the VPN encrypts each connection in the Tor network. On the positive side, in this approach, your data is still protected by the VPN’s encryption when it leaves the Tor Exit Relay. Drawbacks to this approach include:
Pros and Cons of VPN over Tor
|Your VPN will see the Tor Exit Relay, not your actual IP address||Your ISP can see you are connected to Tor|
|The VPN may allow you to access sites that block Tor Exit Relays||You can’t access Tor’s Onion Services since the final link in the chain of connections is your VPN, not a Tor Exit Relay|
|You can choose the location of the VPN server to get access to geo-blocked content||The VPN provides a fixed endpoint in the chain of connections. This could be used by a global adversary to find your IP address using end-to-end timing analysis|
|Using Tor and a VPN together is slower than using one or the other|
While VPN over Tor does have some benefits, we think that Tor over VPN is the better approach. If nothing else, choosing this approach leaves you more dependent on the trustworthiness of your ISP than Tor over VPN.
Our Recommended Approach: Using Tor over a VPN
We think that the Tor over VPN approach offers a better privacy solution for most users with normal needs. If you are a spy, or otherwise at really high risk of really painful consequences, there are stronger solutions such as Qubes. But for most normal folks, a Tor over VPN solution looks good. The following video offers a nice summary of the pros and cons.
This solution is also surprisingly easy to set up. Just keep reading...
How to Set Up Tor over VPN
Setting up a Tor over VPN configuration is pretty simple, and it isn’t dependent on your choice of operating system or anything like that.
Follow these instructions to set up and use Tor over VPN:
- Step 1: Purchase, download, and install the VPN of your choice. A VPN that doesn’t keep logs is better than one that does. And a VPN that doesn’t keep logs and accepts anonymous payments using Bitcoin is better yet. See our guide to the best VPNs for some available options.
- Step 2: Launch your VPN and make sure it is working properly.
- Step 3: Download and install the version of the Tor Browser for your operating system from the official TorProject Download page.
- Step 4: Verify the file signature to ensure that your download hasn’t been tampered with. In the image below, the red arrow points to the sig link. Click here for information on what this is all about and how to verify it.
- Step 5: Once you have verified the Tor download, install it using the standard procedures for your Operating System.
- Step 6: Ensure that your VPN is active and launch the Tor Browser. You can now browse using Tor over VPN.
It is important to remember that you must launch the VPN before you launch the Tor Browser if you want to get the benefits of this approach.
While there remains some controversy about it, we believe that there are clear benefits to using both Tor and a VPN together.
In this article, we’ve looked at each of these tools and the ways they help you preserve your privacy online. We also looked at the two ways they can be used together and arguments for and against each. We wrapped up with a quick guide on how to boost your online privacy by setting up the Tor over VPN approach on your own system.
We hope you found this guide useful and if you are currently looking for a VPN provider, we recently compared two of the leading services which can be found here:
- Comparitch's article on Staying Anonymous Online
- Want Tor to really work?
- Wikipedia's definition of Internet Privacy
- Definition of Relay Network
- Techopedia's explanation of an ISP
- LifeWire's definition of an IP Address
- Thenextweb's 'ISPs can legally sell information' article
- Sunnyhoi's breakdown on TOR over VPN vs. VPN over TOR