There’s ongoing confusion about how VPNs and Tor compare in regards to privacy and anonymity and competing opinions on how and when it makes sense to combine them. Do they work together, is there ever mutual contradiction, and what threats do they actually protect you from?
It’s time to settle the debate once and for all and get to the heart of how to properly use two of the most powerful internet privacy tools.
Internet anonymity in Tor
Tor is, without a doubt, the stronger anonymity network. Your data enters the network through a random node around the globe, makes at least two hops, then passes through a random exit node to its final destination.
Ideally, your information should be additionally encrypted, preventing the exit node from reading it.
Unlike with a VPN, no single node in this route gets the full picture of what you are doing. The entry node can only see your location but not who you are communicating with, while the exit node sees who you are communicating with, but not your location.
A relay in the middle prevents the exit node from finding out what the entry node was, in case an adversary manages to operate them both.
However, this process is slow and inefficient. And for a variety of privacy reasons, the Tor network cannot compensate volunteers for running nodes. Participants are also unable to speed up connections with payments, as this would de-anonymize them as well as the entry/exit nodes.
The VPN internet privacy model
VPNs provide a different privacy trade-off. They perform with high speeds and typically only route traffic through a single hop, usually in an industrial-grade data center.
To keep services stable and fast as well as develop apps, the VPN provider either has to charge their customers, like ExpressVPN, or somehow monetize their user data.
Like with Tor, a user is unable to see what happens inside the servers they are using. For example, it’s impossible to see if the VPN server is keeping logs, altering traffic, or injecting malware.
Though, given that a user can be identified through their login details or payment method, or repeatedly using the same service, a malicious VPN provider can gather details far more threatening to a person’s privacy than that of a Tor node.
To evaluate if a VPN provider is malicious, a user can look out for complaints on the internet, particularly from users who have been kicked off a VPN for breaching terms of service or violating copyright codes.
A VPN provider would be unable to determine which of their users committed violations if they truly kept no logs.
To combine VPN and Tor or not combine?
The debate over how to combine the services often comes down to the assumption that more hops mean more privacy, which is not necessarily true. However, adding a single, permanent node (i.e. a VPN) might entirely compromise the anonymity model that Tor provides.
The official website of the anonymous Operating System TAILS uses harsh words when discussing the utilization of a VPN with Tor:
“VPNs make the situation worse since they basically introduce either a permanent entry guard (if the VPN is set up before Tor) or a permanent exit node (if the VPN is accessed through Tor)”
That being said, there are cases when using one with the other can be invaluable. The question is: Do you connect to VPN first and Tor second, or vice versa?
You -> VPN -> Tor
This model is easy for anyone to set up. Simply connect to VPN on your computer, then open the Tor Browser and continue to use it as you are used to.
Your traffic will first be routed to the VPN server, from where it enters the Tor network before it leaves it again at one of the system’s exit nodes.
According to the Tor Project, the arrangement works, but with one caveat–your VPN/SSH provider’s network is in fact sufficiently safer than your own network.
Your VPN will not be able to see your traffic but may find out that you are using Tor. On the upside, you are hiding your Tor activity from your Internet Service Provider and likely your local government. Depending on their stance on Tor, you might be safer or more private.
You -> Tor -> VPN
This model is a bit different to set up, as it requires you to fiddle with a virtual machine, and is generally not supported by VPN companies natively.
Your traffic first enters the Tor network, leaves through an exit node and then to a VPN server, from where you connect to the sites you are visiting.
The Tor Project advises against this arrangement:
“The VPN/SSH can build a profile of everything you do, and over time that will probably be really dangerous.”
The result is that your VPN often finds out who you are, perhaps because you connect from home regularly or because you made the VPN subscription payment through your credit card. Any provider could observe you long enough to “fingerprint” your behavior.
In theory, by signing up for a VPN through Tor, and paying through an anonymous payment method like Bitcoin, you can prevent your VPN from knowing any payment details. And if you always connect to the internet with Tor network, your current location would be disguised.
Your identity is still not as strongly protected as when using a Tor exit node, but you will not get flagged as a Tor user by the sites you are visiting.
Do you want to hide who you are? Or where you are?
The essential question you will have to ask yourself when using a Tor over VPN, or a VPN over Tor, is whether you want to hide your location or your identity.
Using VPN, then Tor guards your identity as close as currently technically possible. But Tor followed by VPN effectively hides your location and leaves you able to surf the web without the hassle of using a Tor exit node IP.
The choice is yours.
This difference can be a subtle one, but it can be essential. Imagine you are hiding from an oppressive dictatorship, but still want to maintain contact with the outside world. Keeping your location a secret will be far more important than maintaining anonymity.
If you, however, intend to leak information exposing corruption and misconduct in your country, hiding your identity is equally important to hiding your location.