Tor and VPN: how well do they mix?

(Image credit: Getty Images)

Anyone who connects to the internet is invariably always going to be on the lookout for improving their levels of privacy online too. There are several reasons for this, many of which can leave people and businesses feeling a little uneasy about how they can be seen or tracked. Online monitoring techniques can be used by governments in order to carry out surveillance alongside the likes of credit bureau agencies and nosey ISPs too. 

Even if you’re just a casual everyday consumer of online content, many if not all websites out there in cyberspace pull every trick in the browser fingerprinting book to track you around the web. Whatever your reason for wanting better privacy online, when it comes to improving your fortunes, one question that might have occurred to you is whether or not you should use a VPN service and Tor together. 

For anyone wanting to cover all bases, this approach of layered privacy can be highly beneficial. The good news is that it’s never been quicker or easier to get set up using the Tor browser and a VPN connection as a partnership. It can be a great way to enjoy solid online protection, with lots of off-the-software-shelf solutions to consider such as NordVPN, Surfshark, ExpressVPN, CyberGhost, IPVanish and more besides. So, let’s look at how this pairing performs together.

How secure is secure?

A VPN service is a way to encrypt all the traffic between a client, then to a VPN server, and on to the internet. This is done via an encrypted tunnel, which keeps the user’s public IP address hidden, and the net traffic private. Modern protocols perform the encryption at 256-bit, which is secure enough to be considered ‘top secret’ for government use. 

The good news for computer users is that it is now easy to choose from any one of several VPN solutions aimed at individuals, as well as businesses and enjoy robust levels of security too. There are numerous reputable names out there that can tailor a VPN package to suit your needs, with deals on features, functionality and pricing to match. 

However, even with the VPN configured correctly and the service performing well, nothing is 100% secure. The reality is that there can still be data leaks, where unencrypted data gets transmitted, which can include IP leaks alongside DNS leaks too. In other features related to this topic, we’ve recommended some approaches to mitigate the issue of VPN failure, including performing an IP leak test and using a VPN kill switch. However, despite best efforts, concerns remain regarding being affected by these sorts of leaks when using a VPN.

Why use Tor?

The Tor browser is a tool designed to make the user anonymous online, which does not use VPN technology, and therefore does not encrypt data. The name Tor is an acronym for ‘The Onion Router’, which is a specialized browser that sends the user’s data through several anonymous servers. In doing so, it becomes considerably more difficult to identify what the user is doing online. This has obvious benefits for anyone not wanting to be traceable for the reasons outlined above. 

Inquisitive new users may wonder how effective Tor is though. One thing to bear in mind with the whole Tor scenario is to remember that it originally emerged as a result of research, which was carried out at the United States Research Laboratory in the 1990s. The work was originally commissioned for use by US intelligence departments with their voracious requirements for securing online communications. 

Tor was subsequently released under a free license to the public and has grown in popularity ever since. Today, this solution gets used for a wide variety of purposes and still has an important place within official channels, including the US government looking to avoid revealing its IP address when it’s snooping around foreign web sites. 

However, Tor has also been used for more nefarious purposes and has gained a reasonable degree of notoriety. This has mainly been because it provides the perfect way to access the ‘dark web,’ which is the portion of the internet not indexed by search engines and is also frequently associated with illicit activity. 

While Tor is certainly a powerful tool, you’ll see that right on the homepage, there is a disclaimer that Tor does not completely anonymize the user while surfing the web. While the traffic on Tor is bounced through random nodes, it eventually exits to the internet via what is termed an ‘exit node.’ These so-called exit nodes can be hacked, or the exit node may be monitored by the owner, thereby exposing a user’s data.

Using a VPN and Tor together

With neither a VPN nor Tor being completely 100% effective as a single solution for anonymity, this raises the question of whether or not it’s a good idea to run both simultaneously. This does have the potential to give the user a double layer of privacy coverage but adopting this layered combination isn’t without controversy. There are certainly arguments as to whether Tor and VPN should be used in tandem, but at the same time there seems to be a reasonable level of disagreement over how best to implement this. 

One solution for combining the use of a VPN and Tor together is to use them in tandem via a technique called ‘Tor over VPN.’ In this arrangement the user connects, first to their VPN server and follows this by using the Tor browser. There are advantages in going down this route, with one obvious bonus meaning that Tor gets hidden by the encryption delivered by the VPN. 

Another benefit of the Tor over VPN technique is that it also means your IP address does not get revealed to the Tor entry node, which is because it sees the IP address of the VPN server instead. There downsides though, which includes the way the VPN provider is able to see your IP address. You should also keep in mind that there is no safeguard from Tor exit nodes that are hacked either. It’s a good way of working, but not perfect for obvious reasons.

Using VPN over Tor

There’s another option if this concept doesn’t appeal however. The alternate method for employing a dual usage arrangement of these services is known as ‘VPN over Tor.’ In this case things get flipped over somewhat with the computer first being connected to the VPN, and the encrypted tunnel is created. Next up, web traffic passes through the Tor browser, and after the exit node of Tor, the data is transferred to the VPN server, and then on to the internet. The main benefit of this technique is that all of your data is still encrypted. 

Of course, a major plus point to this method is that the data emerges from the Tor exit node still encrypted from the VPN, so it is safe from any potentially malicious nodes. That adds another level of appeal over the first option, but there are other benefits to be had from going down the avenue of VPN over Tor. 

Another distinct advantage is that the VPN does not see the IP address of the user, as this is scrambled via Tor. If this is subsequently combined with an anonymous payment system (some VPNs accept cryptocurrency, for example), this method can offer the user with another level of privacy. This is because it does not have the real IP address to turn over to anyone and that’s also the case even if the VPN keeps logs. On top of all that, users are also able to choose the server location the VPN uses, which can be useful in order to bypass any potential geo-blocking issues that might occur. 

While the VPN over Tor method is generally considered more anonymous, going for this option also a bit more difficult to configure, so it’s worth bearing that in mind if you’re not too keen on getting into more technical procedures. Another point to note is that this process allows the ISP to see what the user is connecting to through Tor, and as a result does not permit access to ‘.onion’ sites. 

You’ll want to remember that additional use of VPN over Tor requires a VPN service that offers support for it. However, the reality of the situation is that most VPNs currently do not offer any kind of backup for users working in this way, which is basically because the VPN needs access to Tor Control in order for configuration to work.

Best VPN over Tor solutions

So then, which is the going to be the best VPN over Tor solution to use? Well, that largely depends on what you have in mind and the ways you’ll be using your secure setup. It’s worth shopping around and seeing what the different VPN providers say in their features and functionality lists for starters. 

One of the better known VPN over Tor solutions comes courtesy of AirVPN. In our TechRadar Pro AirVPN review we found there was plenty to like, including the advanced feature set that it provided along with its robust support for the Tor browser. 

Other VPN providers have also incorporated the Tor browser into their service. For example, ExpressVPN has an ‘.onion’ version of its website, which lets users create an anonymous account. NordVPN actually encourages using Tor with its service, for “maximum online security and privacy,” which is achieved by connecting to an ‘Onion over VPN’ server. However, whichever option you take it’s well worth spending some time researching what different options can do, as not all of them deliver the same features and functions.

We've listed the best business VPN.

Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.

With contributions from