Tor and VPN: how well do they mix?

Clearly, it just about goes without saying that folks are seeking better levels of privacy online these days. There are a number of reasons for this, including government surveillance, credit bureau insecurities, nosy ISPs, and the latest is the Krack Wi-Fi vulnerability (in the WPA2 protocol).

Whatever your reason for wanting better privacy online, when it comes to that quest, one question that might have occurred to you is whether you should use both a VPN service and Tor together. For the ‘belt and suspenders’ crowd who want to take this approach of layered privacy, let’s look at how this pairing performs together.

How secure is secure?

A VPN service is a way to encrypt all the traffic between a client, then to a VPN server, and on to the internet. This is done via an encrypted tunnel, which keeps the user’s public IP address hidden, and the net traffic private. Modern protocols perform the encryption at 256-bit, which is secure enough to be considered ‘top secret’ for government use.

However, even with the VPN configured correctly, and the service performing well, nothing is 100% secure, and there can still be data leaks, where unencrypted data gets transmitted – including IP leaks, and DNS leaks. In other features, we’ve recommended some approaches to mitigate the issue of VPN failure, including performing an IP leak test, and using a VPN kill switch. However, despite best efforts, concerns remain regarding being affected by these sort of leaks when using a VPN.

Enter Tor

The Tor browser is a tool designed to make the user anonymous online, which does not use VPN technology, and therefore does not encrypt data. The name Tor is an acronym for ‘The Onion Router,’ which is a specialized browser that sends the user’s data through several anonymous servers. In doing so, it becomes considerably more difficult to identify what the user is doing online.

Users may wonder how effective Tor is, although a good starting point here is to realize that it originally came out of research done at the United States Research Laboratory in the 1990s for use by US intelligence – with the obvious need for secure online communications.

It was subsequently released under a free license to the public. This solution gets used for a variety of purposes, including the US government looking to avoid revealing its IP address when looking at foreign sites. It has also been used for more nefarious purposes, and Tor has gained some notoriety as the portal to access the ‘dark web,’ the portion of the internet not indexed by search engines, and associated with illicit activity.

While Tor is certainly a powerful tool, you’ll see that right on the homepage, there is a disclaimer that Tor does not completely anonymize the user while surfing the web. The traffic on Tor, while bounced through random nodes, eventually exits to the internet via what is termed an ‘exit node.’ These exit nodes can be hacked, or the exit node may be monitored by the owner, thereby exposing a user’s data.

Doubling up

With neither a VPN nor Tor being completely 100% effective as a single solution, this raises the question of whether to run both simultaneously, thereby giving the user a double layer of privacy coverage. However, this layered combination is not without controversy. There are certainly arguments as to whether Tor and VPN should be used simultaneously, and moreover, there is disagreement over how best to implement this.

The first way to combine them both gets called ‘Tor over VPN.’ In this configuration, the user first connects to their VPN server, and then uses the Tor browser. The advantages include the fact that the use of Tor gets hidden by the encryption of the VPN. In addition, your IP address does not get revealed to the Tor entry node, as it sees the IP address of the VPN server. The downsides include the VPN provider being able to see your IP address, and also, there is no safeguard from Tor exit nodes that are hacked.

The alternate method for dual-wielding these services is known as ‘VPN over Tor.’ In this case, the computer is first connected to the VPN, and the encrypted tunnel is created. Next, traffic passes through the Tor browser, and after the exit node of Tor, the still encrypted data is transferred to the VPN server, and then on to the internet.

A plus point of this scheme of things is that the data emerges from the Tor exit node still encrypted from the VPN, so it is safe from any potentially malicious nodes.

An additional advantage is that the VPN does not see the IP address of the user, as this is scrambled via Tor, so combined with an anonymous payment system (some VPNs accept cryptocurrency, for example), it provides the user with another level of privacy – because even if the VPN keeps logs, it does not have the real IP address to turn over to anyone.

Finally, the user is also able to choose the server location that the VPN uses, which can be useful to bypass geo-blocking issues.

While the VPN over Tor method is generally considered more anonymous, it’s also a bit more difficult to configure. Furthermore, it allows the ISP to see what the user is connecting to through Tor, and does not permit access to ‘.onion’ sites.

The additional issue of VPN over Tor is that this method requires a VPN service that offers support for it, but the reality is that the majority of VPNs currently do not. This is because the VPN needs access to Tor Control so that the configuration will work.

One of the better known VPN over Tor solutions comes courtesy of AirVPN. When TechRadar Pro reviewed this service, we found there was plenty to like, including the advanced feature set that it provided, and indeed support for the Tor browser.

Other VPN providers have also incorporated the Tor browser into their service. For example, ExpressVPN has an ‘.onion’ version of its website to allow users to make an anonymous account. NordVPN actually encourages using Tor with its service, for “maximum online security and privacy,” which is achieved by connecting to an ‘Onion over VPN’ server.