The Tin Hat

Tor And VPN | Using Both For Added Security

Category: darknets
A 4 Minute Read

Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

Using both Tor and a VPN can be tricky, and even dangerous if done improperly. Routing VPN traffic through Tor or vice versa has certain major benefits, as well as disadvantages, depending on your threat model. This article will briefly explain when, and how, to use both Tor and a VPN.

VPN To Tor

I.e packets exit the VPN before going into the Tor network

Using Tor through a VPN has some advantages, the most major being that it hides the fact that you're using Tor from your ISP. This would have been a benefit to the student who sent in a bomb threat over Tor (not that I condone ever doing that), as he was deanonymized by being the only person to be using Tor at the time in Harvard's network logs. Using Tor through a VPN would have hidden the fact that he was using Tor at all. Moreover, adding extra non-Tor traffic through the VPN helps to obfuscate Tor usage, and therefore prevents traffic analysis to a certain extent.

Where this setup fails is at hiding your traffic from a malicious Tor exit-node. Because the traffic goes through the VPN, and then to the Tor network, exit nodes can still watch your traffic unencrypted.

Also, if the VPN provider is logging traffic, then using a VPN won't be too much different from just using your ISP. In fact, because it should be assumed that there is always a chance that your VPN is logging traffic (even if they claim they don't), then you really are gambling that the VPN is providing you the protection you need. If logs are kept, then the traffic can easily be correlated back to your real IP.

Again going back to the Harvard bomb threat, if he had used a VPN that logged his traffic, the police could have gone to all the VPN providers that were connected to the network at the time and asked for any logs with a court order (and a VPN company won't shut down for you). Because a chance of VPN operators logging activity always exists, my own opinion is that if your threat model requires that you hide your Tor traffic from your ISP, then it's best to not use that ISP at all. Go find some public WiFi (though this is a tip that we should heed whenever a high degree of anonymity is desired).

Configuration

If you do insist on routing Tor through your VPN, then the setup is fairly easy. Simply connect to the VPN and then open Tor Browser (less safe) or Whonix (more safe).

Tor To VPN


Computer > Encrypt w/ VPN > Tor Entry > Tor Exit > Decrypt w/ VPN > Destination

This configuration, to me, brings a greater degree of advantage to running both Tor and a VPN than the previous configuration does. Routing your traffic through Tor to your VPN has the major benefit of hiding traffic from malicious exit nodes. Because traffic is encrypted with the VPN before entering the Tor network, and because it is decrypted after leaving the Tor network, any exit relays that are snooping your traffic will see nothing but noise. The risks of VPN logging are also reduced, as any logs will have a Tor Exit IP attached to it rather than your real IP (and usually it's meta-data that is logged, not content).

Of course the major difficulty in doing this is acquiring the VPN in the first place. Even though the VPN server will only see your IP as being that of the exit relay, your anonymity will be ruined if it has a financial record of you. Because of this, washed/anonymized Bitcoins, or better yet Darkcoins, must be used to purchase the VPN. You will also have place the purchase over Tor to ensure that the VPN has no initial record of your account, and that the transaction IP doesn't appear on the blockchain (remember to check that the site you're visiting is authentic, and using HTTPS). You must also remember to never connect to the VPN without first going through Tor. This requires some strict security habits, but if your threat model warrants this type of security then you don't have much choice.

Configuration

If you do decide to go this route, then the two easiest ways to get this setup is by using either PORTAL or Whonix. PORTAL provides the best protection, as the traffic is sent through Tor transparently using isolated hardware while failing closed (the downside being that you need to purchase and assemble the hardware). Whonix is far easier, but operates at the risk of VirtualBox/KVM being exploited.

If you're using PORTAL then just connect to the PORTAL router, and then connect to the VPN on your computer. If you're using Whonix connect to your VPN inside the Workstation VM.

Of course, this topic is often debated, so if you think I'm crazy throw me an email with an explanation as to why!


I personally use NordVPN and Digital Ocean.
Show some love by signing up using my affiliate links:
Or support me directly on Patreon

Help Me Out: Share, Follow, & Comment

Latest Posts

What is Device Fingerprinting?

Learn what browser fingerprinting is and how it canb e used to track you online.

How To Torrent Privately & Anonymously For Free

Learn the pros and cons of using a VPN to torrent, as well as how to use I2P to anonymously torrent for free!

VPN Drop Protection Using Simple Linux Firewall Rules

Learn how to protect against your VPN dropping using these simply Linux firewall rules

Ledger Nano S Review | Why You Need a Bitcoin Hardware Wallet

A review of the Ledger Nano S, and an explanation of why hardware wallets just make life better when using Bitcoin

What is Two Factor Authentication (2FA) And Why Use It?

What 2FA is, why you should use it, and why we need FIDO U2F.

Support The Tin Hat on Patreon!

The Tin Hat now has a few more ways to support the site.

What is a hash?

A simple explanation of what hashing is, and how hashes are used.

Trump's Toolbox | Future Attribute Screening Technology

FAST is a program that attempts to wirelessly detect whether youre a terrorist, and its in Trump's back pocket.

uBlock Origin, The Best AdBlock Alternative

For AdBlock (Plus) alternatives, look no further than uBlock Origin. This tutorial explains why, and how, you should use it.

I2P Browser Setup Tutorial | Using The Tor Browser For I2P

Learn how to browse I2P using the Tor Browser with this short guide

Privacy On Android | 2017 Android Privacy Guide

A tutorial on how to build privacy on your Android device. Learn what you need to do to stay safe and secure.

New I2P Portal For TheTinHat

TheTinHat has moved to a new server, with a new I2P hidden service to accompany it.

Rebranding 'The Dark Net'

Disassociating decentralized networks with the term 'darknets'.

In Defense of Browser-Based Email Encryption

Why I've reversed my opinion on Protonmail and Tutanota

Privacy Focused Blog Platform

A rundown of the tools I use to power my blog, hidden services.

A Lighter-weight Firefox

How I've set up a lightweight, yet still private browser.