VPN+Tor Do we have a conclusive answer or is it still debatable?

I researched about the topic of using Tor with VPN. Without going much into technical detail a lot of users from Reddit and StackExchange suggested to “not use the combo”. Although there’s countless blogs suggests (mostly VPN providers, obviously) it offers the best protection.

Just half an hour ago I landed here https://www.zdnet.com/article/your-complete-guide-to-the-dark-web-and-how-to-safely-access-onion-websites/ - a fairly decent source of news techies.

It reads Both a VPN and Tor should be used together and it is advisable to connect via a VPN to Tor, rather than vice versa, for the best protection possible.

​

1. While this and other blogs who say VPN+Tor is best protection, I am curious why some user don’t recommend it including the Tor project “we don’t recommend using a VPN with Tor unless you’re an advanced user who knows how to configure both in a way that doesn’t compromise…”
2. What’s the logic behind ZDNet saying "connect via a VPN to Tor, rather than vice versa"?

Actuality it depends upto your “Threat Model”.
Usually it’s not recommended to use VPN along with Tor. Tor developers also says it’s not recommended. But they really don’t forbade to use VPN with Tor, they said ‘You gotta be careful about what you are doing when combining VPN with Tor’. There has many use cases where using a VPN with Tor is the only way. But bunch of ignorant blind Tor fans always crying like ‘No, no no, never-ever use Tor with VPN. VPN bad. Tor is bulletproof, Tor is hackproof, Tor is divine, Tor is the God, Everyone should worship Tor, Tor is the creator of the human race, so every human should have to worship Tor’ bla…bla…bla… & so on…
But those blind fans totally failed to understand that there has a term called “Threat Model”. Depending on that many people do need to use VPN. Those ignorant blind Tor fans pretend as if they have more knowledge than the actual Tor developers…
How pathetic!!!
Though VPNs aren’t also bulletproof, neither hackproof, they also have their own drawbacks. And some VPNs are so terrible & really a great threat. But not all are.

Whatever, there has indeed downsides using Tor without VPN (only applicable for particular situation).
Tor doesn’t make you anonymous before connecting to Tor nodes, it doesn’t hide your Tor connection. Your Govt. can easily see that it’s you using Tor. Sure, Govt. won’t gonna know what are you doing on Tor. But you already got detected by Govt. by using only Tor. Yes, there has Tor Bridges, but bridges don’t hide the fact that you are using Tor, Bridges simply bypass Tor connection to circumvent if ISP restricts Tor network. Domain Fronting Bridges actually do hide your Tor connection before connecting to Tor nodes but by DPI (Deep Packet Inspection) Govt. still can detect you as Tor user from that corrupted Govt. regime. And even if Govt. can’t detect you (Govt. only can’t detect you by this method if your Govt. is a poor Govt. from a poor 3rd world country) but still VPN is far greater way to not to get detected by Govt. as you got blended with many, many VPN users. Obviously there has many more VPN users in a country than Tor users.

In some countries there has very very few Tor users, I really mean very few like only 1 or 2 at best Tor users in that country.
And if the region is Authoritarian dictatorship territory & the Govt. is corrupted and evil & if the Govt. start suspecting Tor users then the Tor users will go boom as they will be doomed instantly by own Govt. As ISP kept logs Tor users. In this situation a VPN is the only savior. As there has so many VPN users, you could blend with VPN users & hide Tor connection behind VPN. Also you need to protect Non-Tor traffic on your system to be on the safe side, be anonymous and not to get caught by your own corrupted Govt. so you really need to use VPN along with Tor.
In those cases, if you use Tor without VPN you’ll make yourself shine like a lightbulb in the dark.

And you really gotta be careful choosing VPN. You have to choose a VPN which is trusted, well reputated, open source codebase, kept their transparency, strictly no logs policy, audited by 3rd party security firm, out of 14 eyes surveillance, under strong privacy laws jurisdiction like EU or it could be anywhere else & proven as trusted.
There are very few VPNs out there who you can actually trust. I prefer “ProtonVPN” as it’s privacy oriented, open source model & trusted. IVPN, Mullvud are some who you can trust.

So, my suggestion is:- Always use a trusted VPN along with Tor (Tor over VPN method). At least to protect yourself from non-tor traffic.

When I personally recommend to a user not to use a VPN with Tor its typically because the user is either incredibly new and doesn’t have enough technical experience to properly configure the VPN, wants a free option (I don’t recommend free VPN options), or wants to install a VPN on Tails. I look at how many VPN users end up getting a Copywrite Infringement Notice from torrenting because they don’t know how to bind the torrent client to an interface, so when the VPN inevitably drops (because that happens) it exposes them. I wouldn’t want a similar mistake or misconfiguration to cost someone their freedom or life. There are also other things to consider while choosing a VPN provider (no logs, independent audits, at least one anonymous payment method, not based in a 14 eyes country or in the country the user is speaking out against/hiding from, transparent and up front, secure DNS, etc.).

Some people believe that when using a VPN you are simply trading the snooping you ISP does for the snooping a VPN company could/does do. After all some of the evidence used against Anonymous/Lulzsec hackers was logs from HideMyAss VPN. No one thought that a VPN provider could stay in business after informing on it’s users, HideMyAss is now HMA and are still in business. Legitimate companies have to follow the laws of the countries they are based in. Tor being run by volunteers all over the world protects against that, though there are other trade offs especially if you are dealing with a skilled attacker or an APT (advanced persistent threat).

As for VPN + Tor or Tor + VPN, If I am going to recommend to a user using both, I am going to advise VPN + Tor. This protects the user from their ISP from knowing the person is connected to the Tor network and stops the Tor entry node from knowing the users IP address. In some countries that is as important to hide as who the user is talking to, or what the users is doing. This option is also easier to set up because typically it is simply starting the VPN client and then launching the Tor Browser once both are configured. VPN + Tor is even how ProtonVPN routes on the Tor network (ProtonVPN Server → Tor Entry → Tor Node → Tor Exit Node).

Tor + VPN has never made sense to me as an option. It is harder to set up correctly and making it more likely you will have some sort of leak. Some VPN providers don’t even support this method because it doesn’t increase your anonymity. You are allowing the VPN provider to see what site you are looking at instead of the exit node. Your ISP knows that you are connected to the Tor network and the Entry Node knows your real IP address.

Depending on a person’s threat model there is no one size fits all solution for privacy and/or anonymity. Some people just want to use Tor to see what all of the hype is about. Others use Tor to protect themselves when talking to sources/journalists, while exposing/leaking corrupt government practices, or while organizing protests.

This comes up a lot. It’s usually not what you want, but it really depends on what you want to do and what kind of VPN we’re talking about.

So, what do you want to do?

Do you want to access tor on a network that tries to block it? Or do you want to hide the fact that you are using tor from the local network? Then VPN could help. But you probably want bridges or meek.

Do you want to hide the fact that you are using tor from the site you are accessing? If you connect tor->VPN->site you are probably throwing away all benefits of using tor, and you most likely buy nothing over using the VPN directly except from complexity, latency and frustration.

It is generally a good idea to think really hard about what you want to protect from whom, and what you’re willing to give up to get it.

Here is my thought process:

If you just want your internet traffic to be private use Tor alone. The VPN doesn’t add any additional obfuscation of your data packets and adds 1 more hop (although this shouldn’t slow Tor since you only make that hop once)

If you want internet traffic to be private and your ISP/Gov’t cannot know you are using Tor then either first connect to a VPN and then to Tor as the ISP/Gov’t will see you connect to the VPN and then the rest of your data should be obfuscated

Another option for this scenario is to use Tor bridges/snowflake because the bridge IPs are not public information, the ISP won’t know the server you’ve connected to is part of the Tor network.

If you need to download Tor without your ISP/Gov’t knowing use a VPN to download the Tor software and then either always connect to the VPN before connecting to Tor or connect to a bridge/snowflake

One has to consider that VPN services may log your data and if there is a data breach at that VPN or if a Gov’t forces them to turn over the records it may show that your IP ultimately connected to Tor (however, I don’t know exactly how that works so take with a grain of salt)

In general Tor is very private so VPN just adds a new entity to trust, but like i said if Tor is illegal where you live it may be the only way to get to Tor

In short: it all depends on the VPN itself. If you pay it by cash or crypto, if you can trust a zero log policy, then it is not harmful. Otherwise it could be a threat.
Given the fact the above requisites are satisfied by a very short list of VPN providers, your answer is quick to retrieve.

You → vpn → Tor

Makes sense when you need to hide the fact that you are using Tor from your network administrator, isp or government. Forget about bridges, even with then it’s trivial to know that you are using Tor.

You → Tor → vpn

This one could potentially introduce correlation attacks/fingerprinting since your exit node will always remain the same. Useful when you need to access services that block Tor, however a proxy or tunnel is preferred. (Probably that’s why vpn before Tor is recommended instead of this one)

I use a VPN 24/365 to protect the non-Tor traffic of my system. Then when I want to access an onion site, I launch Tor Browser and thus have Tor over VPN.

Tor Browser is secure by itself. Tor Browser doesn’t need help from a VPN. VPN doesn’t help or hurt the Tor traffic. VPN is there for the non-Tor traffic.

There have been a lot of good points, I’d just like to bring up another.

Most VPNs do not have a built-in killswitch. That is, if your VPN connection drops, you will now be browsing without it. Leaking abounds.

Next is ipv6. Unless you’re using a properly configured VPN, ipv6 leaks are still a very real threat.

2. Tor to VPN would hide you from the VPN, but it would again stop allowing onion sites to work as expected, hence the VPN → Tor being the primary route.

There are use cases for both. If your instance is using the darknet, than forgo the VPN.

https://youtu.be/6arTTIcE4LA

https://youtu.be/aMzai8YTLJU

I’ve a question, but i dont have the know-how of figuring out the answer. If you are using tor browser over a vpn, to protect yourself from your isp detecting it, then that tor packet is going to be part of the vpn tunnel, right. When you are simultaneously downloading and uploading torrents and streaming AND using tor, wouldn’t it all still go through a single wireguard Or openvpn connection? If so, how is it possible to detect 512kb or whatever the size is the default tor size when it’s mixed in with other packets?
Any idea?

Another really great comment I found in this thread.
Thumbs up
The actual truth is, “There has no perfect system in this World”. And use case might vary as per users ‘Threat Model’.
There has both advantages & disadvantages of both Tor & VPN.

But I wonder why ignorant blind Tor fans don’t want to understand the ‘Threat Model’ & also don’t want to understand the advantages of VPN!!! To them; VPNs are all about disadvantages. And they love to worship Tor as the one & only God

Im curious.
If you are using tor browser over a vpn, to protect yourself from your isp detecting it, then that tor packet is going to be part of the vpn tunnel, right. When you are simultaneously downloading and uploading torrents and streaming AND using tor, wouldn’t it all still go through a single wireguard Or openvpn connection? If so, how is it possible to detect 512kb or whatever the size is the default tor size when it’s mixed in with other packets? Wouldn’t the vpn add more data to the packet tunnel to use the full around 1500kb?
So therefore there wouldn’t be a way to detect that “inside of this wireguard tunnel, there is tor, torrents and streaming”. (Without the logs from the vpn of course.)

"“It is generally a good idea to think really hard about what you want to protect from whom, and what you’re willing to give up to get it”

Totally agree with you.
It’s a real good answer that ignorant, arrogant, blind Tor worshipper fans don’t want to understand & be willfully ignorant.
It’s all depends upto the person’s need, the “Threat Model”.

Your thought processes are correct. But about that line. “”"Another option for this scenario is to use Tor bridges/snowflake because the bridge IPs are not public information, the ISP won’t know the server you’ve connected to is part of the Tor network""

That’s true, fine. But has a real good problem. By Deep Packet Inspection (DPI) method;your Govt. gonna see that you are continuously sending & receiving some weird gibberish data, and the chunk of the data is really big & that means out of Govt. reach you are connected to somewhere else. That might be really alarming for the corrupted Govt. and also Govt. already knows who you actually are. As a Result, now you are a suspect.

Bridges are evading censorship but bridges don’t really guarantee to not to get flagged you as a Tor user. Domain Fronting bridges surely more undetectable but it’s in the Tor developer’s domain fronting page, “However, it does not make you anonymous, or completely hide your destination like Tor Browser does”. And still as I always used to say, a trusted VPN is the best bet to hide yourself from your own corrupted Govt. Just have to make sure that you are not connected to your own country server of that VPN.

Worst case scenario though, you are linked to your VPN. So what? Without a VPN your ISP knew you were using tor, with a VPN now your VPN knows you’re using tor.

I don’t see how going you → vpn → tor can really have a downside. Even if the VPN is compromised, you haven’t actually lost any level of security. It’s not like your VPN can see what you’re doing any more than your ISP could.

if you can trust a zero log policy

Which you can’t. You can neither trust that the VPN provider is being honest nor that the VPN provider is actually correct in thinking that they are being honest. A VPN provider may not be logging but it may have had its systems compromised to some degree sending logs back to Utah. Arguably this doesn’t matter as much depending on your threat model and when doing Tor->VPN though.

This exactly. I never turn off my vpn, so when I need to go to zlib i simply use tor, and not chrome where I’m logged in always.
Im curious.
If you are using tor browser over a vpn, to protect yourself from your isp detecting it, then that tor packet is going to be part of the vpn tunnel, right. When you are simultaneously downloading and uploading torrents and streaming AND using tor, wouldn’t it all still go through a single wireguard Or openvpn connection? If so, how is it possible to detect 512kb or whatever the size is the default tor size when it’s mixed in with other packets? Wouldn’t the vpn add more data to the packet tunnel to use the full around 1500kb?
So therefore there wouldn’t be a way to detect that “inside of this wireguard tunnel, there is tor, torrents and streaming”. (Without the logs from the vpn of course.)

That ignorant subreddit sucks miserably
That subreddit is only - for blind tor fans, by blind tor fans, to blind tor fans!!!

They pretend as if they really do have more knowledge than the actual Tor developers