Trust
First I want to bring up trust. A VPN is fully, 100%, a single point/entity that you must trust. With Tor, you do not have to trust any single entity or any single point. Users donโt have to trust every Tor relay that they use in order to stay safe with Tor. As long as the right ones arenโt compromised, working together, or otherwise malicious, the user stays protected.
VPN users fully trust their VPN. They trust their VPN provider
- to not keep payment information
- to not keep logs
- to not share information with their adversary
- to be competent at keeping their network and machines secure
Should VPN-provider-X be completely trusted? Maybe. Are they completely trusted by their users? Yes, whether the users realize the amount of trust they are placing in the provider or not.
Assume for just a moment that using only Tor gives Alice the same about of โprotectionโ as using only a VPN. Using only Tor, she doesnโt have to trust any single entity. Using a VPN, she has to completely trust her VPN provider.
So why use a tool that requires the userโs trust, when she can use a tool that doesnโt?
This brings up the question: If Alice chooses she 100% trusts her VPN provider and wants to use Tor with a VPN, does the VPN add any value? I will address this question in two parts based on whether the VPN comes โbeforeโ or โafterโ Tor.
Connect to Tor through a VPN
Now Iโll start with what is easiest to actually accomplish and is recommended most often. I prefer to discuss this as a series of reasons why someone would even think about using a VPN in this way.โ
Tor is Blocked
For whatever reason, Tor is blocked for Alice. Maybe her company has a really strict firewall or her country has a super strict firewall. But apparently, the firewall wouldnโt block a VPN.
Alice should try using a Tor bridge first. A bridge is simply an unlisted Tor guard relay. If she was getting blocked because she was trying to connect to an IP known to be a Tor relay, this would help.
If that doesnโt work, maybe her traffic is being blocked because it looks like Tor traffic. It is fingerprintable after all. If this seems to be the case, then Alice should try using a bridge with pluggable transport. Pluggable transports make Tor traffic look different so it can (hopefully) not be fingerprinted and then blocked. obfs4 is a popular PT that makes the Tor traffic between Alice and her bridge look like encrypted garbage. meek is another PT that makes it look like Alice is talking to a website in the Amazon or Microsoft cloud.
Hide Tor Usage from ISP
First, Alice should consider whether or not her adversary is even capable of extracting information from her ISP. Is what sheโs doing even illegal where she lives? Is it embarrassing? To what lengths will her adversary go (or can her adversary go) in order to figure out who she is? If Alice is just trying to hide an embarrassing habit from her spouse or circumvent her incompetent countryโs censorship, hiding her Tor usage may not even be necessary.
Furthermore, if Alice isnโt really up to anything bad, by not hiding her Tor usage, she helps reduce Torโs bad stigma. Many people use Tor for a wide variety of reasons. And if Alice believes Tor usage is enough to get her on a list of potentially bad people, she should be proud of that fact. Sheโs not bad, and sheโs lowering the quality of that list. If everyone used Tor, everyone would be on the list, and the list would be worthless.
If Alice determines that she really does need to hide her Tor usage, she should first consider using bridges or bridges with pluggable transports. See the preceding section for information on those.
Hide True IP from Global Passive Adversary
I would like to preface this with: a global passive adversary (GPA) isnโt something everyone should just assume they have to deal with.
A GPA can watch and record Internet traffic โall over,โ where โall overโ is a large enough number of places that, in the context of Tor, they can watch/record traffic entering the Tor network as well as watch/record traffic leaving the Tor network. One way to accomplish this would be for the GPA to run Tor relays themselves, but that isnโt a necessity. They could work with/hack/compromise ISPs and ASes โall overโ until they get a good view of Torโs edge traffic.
A VPN between Alice and her entry point into the Tor network sounds like it would help, right? The GPA watching and correlating traffic will correlate her traffic to her VPNโs IP address, not hers.
My rebuttal is best summed up with rhetorical questions: if her adversary is powerful enough to be able to watch traffic entering and exiting the Tor network, arenโt they also capable of watching traffic enter and exit a single VPN provider?
Since VPNs are so popular, isnโt it likely that the GPA has already done something to compromise the most popular ones?
Why would anyone ever assume that the GPA theyโre protecting themselves against would-be stopped dead in its tracks by a VPN? If they can watch traffic leaving โenoughโ of the almost 1000 Tor exits and โenoughโ of the roughly 2500 Tor guards, then why would all of the following be impossible?
- extracting information from the VPN provider via the legal system
- extracting information from ISPs/ASes on both sides of the VPN provider
- gaining permission to watch the traffic on the VPNโs network
- watching the traffic on the VPNโs network (via compromise)
If Alice thinks she has a GPA to worry about, I think she is a fool for assuming the GPA canโt find her behind a VPN.
Hide True IP from Browser-based Malware
Historically these exploits have seemed very valuable. Theyโve only ever been found deployed in the wild against people doing terrible things. Theyโve only targeted Windows users (likely because that was the largest demographic and the one that required the least amount of work for the most amount of reward). If youโre not doing terrible things, youโre probably not going to run into one of these exploits. If youโre not using Windows, theyโre probably not going to work on you. Either by not being a shitty person or by not using the most popular operating system you avoid these exploits.
But maybe you donโt agree that these exploits are rare and targeted. Okay โฆ
If youโre assuming your adversary can break Tor Browser enough to make a web request that doesnโt go over Tor (or otherwise collect identifying information about you or your computer), theyโre probably capable of a lot more.
If you think they can break out of Tor Browser entirely and run arbitrary commands as your non-root user, then something like Tails is probably more effective against this adversary than a VPN.
If you think they can both break out of Tor Browser and gain root privileges on your computer, then youโre screwed and Tails wonโt help, a VPN wonโt help, and Whonix probably wonโt help either. Get off the Internet.
Connect to a VPN through Tor
I will now switch gears to discussing connecting to a VPN through the Tor network. People usually consider doing this because they want to appear to have an IP address that doesnโt change and isnโt associated with Tor. Doing this throws away the vast majority of the security gains that Tor gets you. It ruins Tor so much, and you have to trust the VPN company so much, that you might as well not even use Tor at all.
Traffic Pattern
When you use Tor Browser normally, it does lots of intelligent stuff to keep you safe. Tor Browser is a lot more than Firefox with some preconfigured security settings and some addons.
If in some tabs you are visiting Facebook (perhaps even with your real daily account) and in some other tabs you on Wikipedia researching an accurate history of your abusive government, the traffic and the local state from the Facebook tabs will not touch the traffic or state from the Wikipedia tabs. The traffic from Facebook tabs regardless of destination domain will not use the same circuits (paths) through the Tor network as traffic from Wikipedia tabs, not even if they use the same ad network or content delivery network. You can never recreate this behavior in any other browser without modifying its source code and recompiling it. This is beyond simple configuration options.
If you connect to a VPN over Tor, this traffic separation goes away completely. You build a single circuit through the Tor network, and over this circuit, you connect to your VPN. All your Facebook and Wikipedia traffic travels the same path right next to each other. If you tunnel other things over this VPN connection, those things are right there too. All the SSH traffic, IRC traffic, IMAP, SMTP, or OS update traffic that you generate through this tunnel is right next to each other. Worse, depending on how you managed to get this VPN-over-Tor setup working, you may have even broken the local state separation of Tor Browser. If any of this traffic is identifying of you, youโve potentially tainted all of your traffic.
Speed
I should preface this with: Iโve never actually tried this, but have a good enough understanding about how this stuff works that Iโm confident I can make some claims.
The most common way to connect to a VPN, as far as Iโm aware, is with OpenVPN. OpenVPN works best when using UDP, but it technically supports using TCP. Tor cannot transport UDP, so if using OpenVPN, then the user must us it in TCP mode.
Whatโs so bad about TCP mode? The details get rather technical, unfortunately, but Iโll try to sum it up.
TCP guarantees reliable in-order delivery of data. Among other things, it accomplishes this by retransmitting lost packets.
When using Tor, Alice has a TCP stream between her exit and her destination. If her destination (from the point of view of the exit) is an OpenVPN server using TCP, then there is a TCP stream within a TCP stream. If what Alice is ultimately doing uses TCP (like browsing the web, for example), then the Tor TCP stream contains an OpenVPN TCP stream that contains Aliceโs actual TCP stream. If any of these streams detect packet loss, all of them will notice, back off on their transmission rates, and retransmit the packets they think got lost. This is absolutely terrible for performance.
Tor isnโt really that slow these days โฆ unless you do something crazy like this.
Security
So if Alice decides she doesnโt care about the huge performance hit, what does she get? She certainly gets the non-Tor IP address she wanted.
Aliceโs ISP will see her talking to a Tor guard. She could use a bridge (or even a bridge with pluggable transport) to prevent this.
Will she hide her true IP address from a global passive adversary? I already explained why thinking an adversary canโt get information out of a VPN provider but can perform traffic analysis attacks on Tor users is silly. So no, if sheโs trying to protect herself from a GPA, she shouldnโt consider using Tor to connect to a VPN any safer than just using Tor in my opinion.
Finally, thereโs the matter of trust to consider again. Alice must be sure her VPN provider is worthy of the trust she will be putting in it. She must have paid her VPN provider in a way that canโt be traced back to her. She must be sure that the VPN provider doesnโt keep traffic or connection logs. She has to trust herself to never mess up and connect to her VPN without Tor. And for this VPN to be of any benefit at all, she must convince herself that her adversary canโt somehow work with the VPN provider, compromise the VPN provider, or work with/compromise ISPs and ASes near the VPN provider.
Final Thoughts
Iโm usually one of the first to remind people that everyoneโs security needs are different. I generally hate it when people immediately jump to assuming that the user asking for advice needs protection from a super powerful adversary. Not everything Iโve said may apply to you, the reader. And maybe in my limited experience, Iโve missed something that you have a question about. Iโve seen many discussions about using a VPN with Tor though, and I hope a very long-winded post will help you made an informed decision.