^(This is not a replacement for the existing excellent coverage on this topic already by u/system33-, but rather a differently approached explanation intended more for laymen. If you like this post, you might consider linking to this thread when someone non-technical asks this question.)
Without fail the most commonly recurring question in Tor communities is “should I use a VPN with Tor?”. Somehow the contradiction of feeling a need to use Tor to remain anonymous while simultaneously not trusting it to keep one anonymous doesn’t cause concern. It is of course an innocent question, one that can’t be answered without first understanding what Tor does that a VPN doesn’t, and vice versa. Rather than bore with highly technical language and to be more relatable, we’ll talk about the internet as if it were the mail, because well, effectively they both route packages in a similar way.
Mailing a postcard
If you can imagine your data being written on a postcard and mailed, traveling through a network of post offices and delivery trucks until arriving safely at its addressed destination, it’s not hard to also imagine that whether or not that postcard is tampered with, photographed, intercepted completely or even destroyed outright, largely depends on the path it takes and the trustworthiness and malincentives of the handlers in between.
Knowing it’s a postcard, you probably wouldn’t want to write anything too serious or compromising on it, like your credit card number or attaching a revealing photo of yourself intended for a loved one, but this is exactly how email and a lot of web traffic works today. Pretty scary, right?
Box it up
The solution is of course to encrypt your traffic as HTTPS, effectively throwing that postcard into a tamper-proof parcel box. With the added benefit of this box, the handlers can no longer easily figure out what’s inside, nor alter its contents. They can still destroy it of course, but they won’t know what they’re destroying. This is why banking sites, email portals, search engines, and pretty much all sites on the internet these days use (or even require) HTTPS for the connection. This ensures that data between you and them stays safe from prying eyes of your ISP or anyone along the way.
Hide the sender address from the destination
So then “what good is a VPN for?” you might ask? A VPN is a service that replaces the “sender” label on your box to their own address before mailing it. They have their own postal employees ready to handle your package, and all with the claim that their handlers are more trustworthy than the regular mail, and a promise not to divulge the originating sender’s information. This is useful when you want to send a letter to or from a place that blocks mail with a certain sender address.
One example of this in practice would be P.O. boxes and remailers, where your true information is unknown to the sender or receiver, and only the P.O. box or remailer is known. As a matter of basic security, it might make sense to always use a service like this, but consider this: by simply hiring this service, they now have access to your mail in a way that wouldn’t have been possible before. That might be okay depending on your needs, but occasionally it can be the service itself that is malicious towards its customers when the normal mail was honest. How would one know? These decisions are usually based on trust, which are usually influenced by marketing.
Hide the sender address from other handlers as well
So if a VPN provides such a protection, what then does Tor do? Tor is effectively like addressing your parcel to a P.O. box where another handler is waiting to handle it onward. Once arriving, that handler takes your box and puts it into another box and addresses it to a new P.O. box, effectively hiding its origin from the next handler, as well as making it more difficult for the previous handler to know where it’s ending up.
That sounds like a lot of handling! Can you imagine the S+H fees? What good does it do though? With all those handlers, even if one handler was malicious, there would be nothing they themselves could do besides just destroy your package outright without ever knowing the contents. They would not be able to open it or see where it came from, nor where it is intended to go. This would be more resource intensive than simply mailing it straight to your destination though, and in the real world that translates to higher latency on your webpage loads and potentially slower connections overall, if the connection isn’t outright blocked for fact of using that service in the first place.
Which one is better?
So Tor would seem to be ideal for the person who doesn’t trust individual handlers to be honest, while VPNs would seem to be ideal for people who want to trust the honesty of handlers but for some reason don’t trust the regular mail, or benefit from hiding their sender origin.
Why not both then?
Why then would anyone want to use them together? What would it benefit? In the worst case scenario, it’s true that if you use another courier network, you add a layer of obfuscation that would keep one group of handlers from finding out who really sent the package or where it’s really going. On the surface this sounds like an additional protection, but fundamentally you also involve an entity that you need to trust directly whom would never have otherwise needed to or had access to your package in the first place. It’d be like handing your package to a stranger in the street and asking them to put it into the mailbox for you instead of doing it yourself.
There are a lot of finer details lost in these rough equivalencies with real life package handling, like meta data of internet traffic, distinguishability and subsequent censorship, speed and privacy tradeoffs, traffic logging, traffic analysis, as well as general cost to benefit calculations.
Generally, those who use Tor do so because it fits their threat model. They either want to access hidden services, or they believe the trust model of trusting three random volunteer handlers is safer than a single paid handler. For VPN users, it’s that they either believe a single paid handler will do it better, or the destination address of the package is blocking mail from those handlers on Tor.
To mix the two is to essentially mix trust models. That could be considered a sign that one does not understand their own threat model, or that they do not trust that either individual technology will adequately protect them on its own (and thus should probably not be using it at all).
Conclusion
At the end of the day, the question shouldn’t be “should I use VPN with Tor?”, but rather “why isn’t ____ enough for me?”. This practical thought process is an important sanity check and developmental stepping stone towards a greater understanding of practical applicable security.
So. Why isn’t Tor or a VPN enough for you?
^(Was this helpful to you? Did I leave something out or get something wrong? Let me know!)