Oddbean new post about | logout
 Should you use a VPN with Tor?

There’s a heavy amount of debate over whether you should use a VPN with Tor.  We will cover using a VPN either before or after launching Tor, but when people refer to this without explicitly saying which method, they usually mean putting a VPN on BEFORE Tor is used.  So:

User → VPN → Tor → Website

VPN before Tor

The use of a VPN with Tor is heavily debated among security experts.  We will present both the pros and cons, without taking a side.

Some argue that a VPN provides some benefit because if an entry guard turned out to be the malicious adversary, then instead of directly handing the data packets to you, it yields the VPN’s public IP address.

However, others point out that if the adversary is violent and your use of the same VPN continues, then the adversary will force the VPN to comply with giving up your location.

In addition, critics of the “VPN First + Tor” approach point out that if the VPN is compromised, this is a far greater threat than if a Tor entry guard were compromised because you get a new Tor entry guard at least every 10 minutes.  In contrast, most people use the same VPN for all of their traffic.

Proponents of the “VPN First+Tor” strategy argue that the VPN can’t see the Tor traffic and that even if the VPN were compromised, it’s no different than the ISP seeing you’re using Tor.  In addition, these proponents point out that by using a VPN first, you’d be hiding that you’re even on Tor, which is in-and-of-itself suspicious.

Our Nostr feed is neutral and does not take sides on the issue. However, the risks of VPN use can be mitigated a little bit (but not fully) by using multiple VPNs instead of trusting a single party.  Some security experts suggest having one VPN for Tor and another for regular traffic to reduce the risk of the server recognizing you.  Some VPN providers use external third party VPS cloud servers.  So if you don’t wish to pay for two VPN accounts, another alternative is to research which VPN locations are on what VPS cloud provider.  Then use one cloud provider location for Tor and the other for clearweb traffic.

Make your own Tor Entrance Guard

Since Tor is a decentralized network, anyone can setup a VPS (virtual private server) to enter the network.  By setting it up yourself, it reduces the ability of the Tor entrance guard to be malicious.  Our company can set this up for you.  Please visit the store section of our website.

VPN after Tor

It is also possible to put the VPN AFTER Tor for the purpose of going to websites which ban Tor use. 

You → Tor → VPN → Website

There are some risks with this strategy and the main one is that over periods of time longer than ten minutes, the VPN will see all the traffic, whereas if you were just using Tor, then every 10 minutes a different Tor exit node would take over.   Having different Tor exit nodes handle your traffic will obfuscate and disconnect each 10-minute session from the previous traffic.  

The longer you use the same VPN, the higher the chance of malicious Tor participants (exit nodes, relays, ect) associating all this previous traffic back to your current session.  However, this threat assumes the VPN is logging your activity and you’re using the same VPN for a long period of time.  Technically the exit node can’t even see the VPN’s traffic, but if the exit node were a malicious violent adversary, then it could force the VPN to give up your traffic.  This would be possible since a VPN’s physical location is always known.

The threats from Tor → VPN use are extremely minimal or non-existent if the browsing session is under 10 minutes.  Another option is to host your own dedicated VPN on a cloud VPS to ensure it’s operating without a log.

Follow us for more content!