Version 1 (modified by cypherpunks, 9 years ago) (diff)


There are many discussions on the Tor Mailing list and spread over many forums about combining Tor and VPN.



You're not going to get better anonymity by using VPNs with Tor. Anonymity is what Tor does very well, far better than any commercial VPN arrangement. With VPNs, there are potentially always logs that lead back to you. You can make the trails hard to follow, by nesting VPNs from multiple providers and paying anonymously, but you can't eliminate them.

VPN versus Proxy

The connection between you and the VPN is (in most cases, not all) encrypted.

On the other hand the connection between you and an OpenProxy is unencrypted. An 'SSL proxy' is in most cases only a http proxy which supports the connect method. The connect method was originally designed to allow you to use to connect using SSL to webservers but other fancy things such as connecting to IRC, SSH, etc. are possible as well. Another disadventage of http(s) proxies is that some of them, depending on your network setup, even leak your IP using the 'http forwarded for' header (also so called non-anonymous proxy while the word anonymous would have to be recognized with care anyway, a single OpenProxy is much worse then Tor).


There are different ways to combine Tor with VPN with different pros and cons.

you -> VPN -> Tor

You can route Tor through VPN services. That prevents your ISP etc from seeing that you're using Tor. Generally, VPNs are more popular than Tor, so you won't stand out as much. Once the VPN client has connected, the VPN tunnel will be the machine's default Internet connection, and the Tor Browser Bundle will route through it.

This can be a fine idea, assuming your VPN provider's network is in fact sufficiently safer than your own network.

Another advantage here is that it prevents Tor from seeing who you are behind the VPN. So if somebody does manage to break Tor and learn the IP address your traffic is coming from, but your VPN was actually following through on their promises (they won't watch, they won't remember, and they will somehow magically make it so nobody else is watching either), then you'll be better off.

The problematic thing with many VPN users is, that they connect to the VPN on a machine which has direct access to the internet anyway.

  • the VPN user may forget to connect to the VPN
  • VPN connection might breaks down and the user continues to use direct connection

To fix this issue you get some hints from

you -> Tor -> VPN

This is generally a really poor plan.

You can also route VPN services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN exit nodes, you at least get to choose them. If you're using VPNs in this way, you'll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc).

However, you can't readily do this without using virtual machines. And you'll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.

Even if you pay for them anonymously, you're making a bottleneck where all your traffic goes -- the VPN can build a profile of everything you do, and over time that will probably be really dangerous.

you -> VPN -> Tor -> VPN

No research on that yet if that is technically possible. This is because already 'you -> Tor -> VPN' is a really poor plan (see above).

you -> your own (local) VPN server -> Tor

This is different from above. You do not have to pay a VPN provider here as you host your own VPN server. This won't protect you from your ISP of seeing you connect to Tor and this also won't protect you from spying Tor exit servers. This is done to enforce that all your traffic goes through Tor. Further read: If you want this, it may unnecessary to use VPN, a simple Tor-Gateway may be easier