Previous Page

nihilist@mainpc - 2024-04-30

Tor through VPN or VPN through Tor?

Tor and VPNs comparaison Recap

As we went over this comparaison in the previous blogpost here i will briefly recap it here:


The Tor Network provides Anonymity by routing your traffic through 3 random servers that are spread across the world.

By using it you are placing your trust into 3 random entities (which can be individuals, companies or adversaries), in 3 different legislations (due to being in 3 different countries),

if you are unlucky and use tor and all the 3 nodes are hosted by the same malicious entity, you can be deanonymized.


VPNs can provide Privacy from your ISP, but by using one you are getting privacy from someone (most likely your ISP), but the VPN provider can see what you're doing with your internet connection.

In other words, you're just shifting the privacy problem from your ISP to your VPN provider.

First Goal: Accessing websites that block Tor

Great, you found out about Tor, you want to be anonymous while browsing the web, and now you start to use your favorite centralised services (google, youtube for example) but you realize that they don't allow you to use their service while you use tor!

You -> Tor -> Destination

Keep in mind that Tor exit nodes are all public, it's easy for website administrators to block Tor exit nodes IPs by blocking their public IPs directly. So you can expect popular services that are openly hostile to both anonymity and privacy to block Tor traffic.

So the constraint here is to access the service without showing up as a tor exit node IP from their end.

To get around that problem, the idea is to force a VPN to connect through Tor (VPN through Tor Setup):

You -> Tor -> VPN -> Destination

That way, we have the following result:

  1. Your ISP only sees Tor traffic

  2. The VPN provider does not know who's using their infrastructure

  3. The website administrators of popular services think you are using their service using a simple VPN

A constraint here of course is to acquire the VPN connection anonymously, to do so we only use Tor and Monero as explained in my tutorial on Anonymity Management:

If the popular service does not block VPNs, you're good to keep using their service while still maintaining Anonymity.

/!\ Be warned that this setup takes into account that you're properly segmenting your Internet Usage, because initially when you use this setup (you -> tor -> VPN), you may be anonymous, but depending on your usage over time, you are increasingly more likely to be deanonymized if you are improperly segmenting your internet usage. (see details on OPSEC for more details)

Second Goal: Hiding Tor usage from your ISP

Another scenario is when you need to hide the fact that you're using Tor from your ISP, we have the following setup which is useful to prevent Tor usage correlation.

You -> VPN -> Tor -> Destination

From your ISP's point of view, using Tor alone definitely stand out from regular traffic, a popular option you can go for is to use a VPN (as this is a much more common occurence), and to use the Tor browser while keeping the VPN connection open.

In the unlikely event that you get deanonymized while using Tor, only your VPN IP would get revealed instead of your home IP address. And if the VPN provider has strict no-log policies and they actually follow through with their promises, it's very unlikely that both your VPN and Tor would be compromised at the same time.

DISCLAIMER ON VPNs: Keep in mind that if you choose to use a VPN anyway, you must conduct a strict VPN selection, see Privacy Guides' Recommendations on that topic, out of which i recommend Mullvad because they accept Monero without any KYC.

Third Goal: Hiding Tor usage (For Heavily Censored Countries)

A popular scenario people encounter, especially in heavily censored countries (the prime example being China with their "Great Firewall"), is that the state blocks all VPN connections, on top of making them illegal.

Citizens don't want their ISP to know that they are using the Tor network. Because otherwise they would be prosecuted for simply using the technology.

Out of that situation, Tor bridge nodes were created. Tor bridge nodes are purposefully not listed in the public Tor directory to avoid being blocked by governments.

From Torproject's explanation on tor bridge nodes:

Bridges are useful for Tor users under oppressive regimes, and for people who want an extra layer of security because they're worried somebody will recognize that they are contacting a public Tor relay IP address.

Several countries, including China and Iran, have found ways to detect and block connections to Tor bridges. Obfsproxy bridges address this by adding another layer of obfuscation. 

Sidenote: be aware that this setup may provide transient censorship circumvention, but it does not provide against the threat where an adversary finds out, let's say 5 months later, that you connected to a tor bridge node in the past, and may prosecute you for it. This scenario is to be considered only when all VPNs are blocked or illegal in your country.

Tor bridges include multiple pluggable transports to help users in heavily censored countries:

obfs4 makes Tor traffic look random, and also prevents censors from finding bridges by Internet scanning. obfs4 bridges are less likely to be blocked than its predecessors, obfs3 bridges.

meek transports make it look like you are browsing a major web site instead of using Tor. meek-azure makes it look like you are using a Microsoft web site.

Snowflake routes your connection through volunteer-operated proxies to make it look like you're placing a video call instead of using Tor.

WebTunnel masks your Tor connection, making it appear as if you're accessing a website via HTTPS. 

That way, it allows you to use the tor network even if your government doesn't allow it.

In heavily censored countries, VPN traffic are easily detected (since VPN IPs are public most of the time), and most likely if you are in this use case, you need to hide the fact that you are using a privacy/anonymity technology, so in this case using VPNs as a first hop, is out of the question.

For other VPN/Tor combination possibilities, you can check what can be done from Torprojects's page on it


Until there is Nothing left.

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8

Contact: (PGP)