Before you ask "should you use VPN with Tor?", consider this

^(This is not a replacement for the existing excellent coverage on this topic already by u/system33-, but rather a differently approached explanation intended more for laymen. If you like this post, you might consider linking to this thread when someone non-technical asks this question.)

Without fail the most commonly recurring question in Tor communities is “should I use a VPN with Tor?”. Somehow the contradiction of feeling a need to use Tor to remain anonymous while simultaneously not trusting it to keep one anonymous doesn’t cause concern. It is of course an innocent question, one that can’t be answered without first understanding what Tor does that a VPN doesn’t, and vice versa. Rather than bore with highly technical language and to be more relatable, we’ll talk about the internet as if it were the mail, because well, effectively they both route packages in a similar way.

Mailing a postcard

If you can imagine your data being written on a postcard and mailed, traveling through a network of post offices and delivery trucks until arriving safely at its addressed destination, it’s not hard to also imagine that whether or not that postcard is tampered with, photographed, intercepted completely or even destroyed outright, largely depends on the path it takes and the trustworthiness and malincentives of the handlers in between.

Knowing it’s a postcard, you probably wouldn’t want to write anything too serious or compromising on it, like your credit card number or attaching a revealing photo of yourself intended for a loved one, but this is exactly how email and a lot of web traffic works today. Pretty scary, right?

Box it up

The solution is of course to encrypt your traffic as HTTPS, effectively throwing that postcard into a tamper-proof parcel box. With the added benefit of this box, the handlers can no longer easily figure out what’s inside, nor alter its contents. They can still destroy it of course, but they won’t know what they’re destroying. This is why banking sites, email portals, search engines, and pretty much all sites on the internet these days use (or even require) HTTPS for the connection. This ensures that data between you and them stays safe from prying eyes of your ISP or anyone along the way.

Hide the sender address from the destination

So then “what good is a VPN for?” you might ask? A VPN is a service that replaces the “sender” label on your box to their own address before mailing it. They have their own postal employees ready to handle your package, and all with the claim that their handlers are more trustworthy than the regular mail, and a promise not to divulge the originating sender’s information. This is useful when you want to send a letter to or from a place that blocks mail with a certain sender address.

One example of this in practice would be P.O. boxes and remailers, where your true information is unknown to the sender or receiver, and only the P.O. box or remailer is known. As a matter of basic security, it might make sense to always use a service like this, but consider this: by simply hiring this service, they now have access to your mail in a way that wouldn’t have been possible before. That might be okay depending on your needs, but occasionally it can be the service itself that is malicious towards its customers when the normal mail was honest. How would one know? These decisions are usually based on trust, which are usually influenced by marketing.

Hide the sender address from other handlers as well

So if a VPN provides such a protection, what then does Tor do? Tor is effectively like addressing your parcel to a P.O. box where another handler is waiting to handle it onward. Once arriving, that handler takes your box and puts it into another box and addresses it to a new P.O. box, effectively hiding its origin from the next handler, as well as making it more difficult for the previous handler to know where it’s ending up.

That sounds like a lot of handling! Can you imagine the S+H fees? What good does it do though? With all those handlers, even if one handler was malicious, there would be nothing they themselves could do besides just destroy your package outright without ever knowing the contents. They would not be able to open it or see where it came from, nor where it is intended to go. This would be more resource intensive than simply mailing it straight to your destination though, and in the real world that translates to higher latency on your webpage loads and potentially slower connections overall, if the connection isn’t outright blocked for fact of using that service in the first place.

Which one is better?

So Tor would seem to be ideal for the person who doesn’t trust individual handlers to be honest, while VPNs would seem to be ideal for people who want to trust the honesty of handlers but for some reason don’t trust the regular mail, or benefit from hiding their sender origin.

Why not both then?

Why then would anyone want to use them together? What would it benefit? In the worst case scenario, it’s true that if you use another courier network, you add a layer of obfuscation that would keep one group of handlers from finding out who really sent the package or where it’s really going. On the surface this sounds like an additional protection, but fundamentally you also involve an entity that you need to trust directly whom would never have otherwise needed to or had access to your package in the first place. It’d be like handing your package to a stranger in the street and asking them to put it into the mailbox for you instead of doing it yourself.

There are a lot of finer details lost in these rough equivalencies with real life package handling, like meta data of internet traffic, distinguishability and subsequent censorship, speed and privacy tradeoffs, traffic logging, traffic analysis, as well as general cost to benefit calculations.

Generally, those who use Tor do so because it fits their threat model. They either want to access hidden services, or they believe the trust model of trusting three random volunteer handlers is safer than a single paid handler. For VPN users, it’s that they either believe a single paid handler will do it better, or the destination address of the package is blocking mail from those handlers on Tor.

To mix the two is to essentially mix trust models. That could be considered a sign that one does not understand their own threat model, or that they do not trust that either individual technology will adequately protect them on its own (and thus should probably not be using it at all).

Conclusion

At the end of the day, the question shouldn’t be “should I use VPN with Tor?”, but rather “why isn’t ____ enough for me?”. This practical thought process is an important sanity check and developmental stepping stone towards a greater understanding of practical applicable security.

So. Why isn’t Tor or a VPN enough for you?

^(Was this helpful to you? Did I leave something out or get something wrong? Let me know!)

Why isn’t Tor or a VPN enough for you?

Because Tor:

  • gives better anonymity

  • can access onion sites

While a VPN:

  • can protect UDP traffic (onion doesn’t handle UDP)

  • can protect traffic from ANY app/service, not just Tor Browser

  • is blocked less than onion network

  • has lower performance penalty than onion

So, the two are for different purposes. I run a VPN 24/365, to protect all of my non-Tor traffic. Then when I want to use Tor Browser to access an onion site, I leave VPN running and launch Tor. Tor over VPN. The VPN is not there to help Tor, it’s there to protect the non-Tor traffic.

A simple question but I just need a clarification: when someone uses Tor and VPN together, which connection comes first?

PC->VPN->Tor->Website

or:

PC->Tor->VPN->Website

Your specific use case would be a good one, assuming of course you’re fine with the VPN knowing you use Tor, and are fine sharing whatever data you share with the VPN. Sounds fine to me.

is blocked less than onion network

It is blocked less because VPN is not private or anonymous at all, VPN operator knows everything you do in the same way your ISP does, if you do something illegal you are easily tracked down or banned by the VPN provider for breaking the TOS.

The purpose of a VPN technology is not to provide privacy to its users its purpose is to connect corporate offices in to a single virtual private network over the internet.

If you use VPN first, you’re protecting all traffic, but also connecting to Tor from the VPN’s servers. This means the ISP sees the VPN, the VPN sees Tor and vice versa (which means if the Tor is compromised, they have a VPN to contact to get your information), and Tor (last hop) sees the website.

If you use Tor first, you’re protecting only traffic you forward over Tor (and in most peoples case, just the Tor Browser). The ISP sees Tor. Tor sees the VPN and vice versa (which means if the Tor is compromised, they have a VPN to contact to get your information), and the website sees the VPN (which means the website has a VPN to contact to get your information).

I would imagine VPN > Tor is probably more useful but isn’t required.

In theory, the only thing the VPN would know is that you use Tor though.

VPN is not private or anonymous at all

Everything is a compromise. Using HTTPS and normal browser, if you gave fake ID when you signed up for VPN, all the VPN sees is that home IP address N is doing traffic to destination IP address D. VPN keeps your ISP from seeing what sites you access, and keeps sites from seeing your home IP address. Useful pieces, but not perfect. Better than letting your ISP see everything, since ISP knows so much more about you (such as your home postal address).

So, a VPN is a useful addition, but not perfect. Same with Tor/onion: useful, but not perfect (doesn’t handle other apps, doesn’t handle UDP, gets blocked more, lower performance).

Yes but how do I for example accomplish the first scenario over the second?

u/billdietrich1 is talking about protecting all traffic using a VPN not just connecting to Tor through a VPN and using it instead of Tor for web browsing because it is less blocked than Tor.

Yep. For their use case (using a VPN and then also connecting to Tor), it can make sense.