Tor And VPN | Using Both For Added Security
Using both Tor and a VPN can be tricky, and even dangerous if done improperly. Routing VPN traffic through Tor or vice versa has certain major benefits, as well as disadvantages, depending on your threat model. This article will briefly explain when, and how, to use both Tor and a VPN.
VPN To Tor
I.e packets exit the VPN before going into the Tor network
Using Tor through a VPN has some advantages, the most major being that it hides the fact that you’re using Tor from your ISP. This would have been a benefit to the student who sent in a bomb threat over Tor (not that I condone ever doing that), as he was deanonymized by being the only person to be using Tor at the time in Harvard’s network logs. Using Tor through a VPN would have hidden the fact that he was using Tor at all. Moreover, adding extra non-Tor traffic through the VPN helps to obfuscate Tor usage, and therefore prevents traffic analysis to a certain extent.
Where this setup fails is at hiding your traffic from a malicious Tor exit-node. Because the traffic goes through the VPN, and then to the Tor network, exit nodes can still watch your traffic unencrypted.
Also, if the VPN provider is logging traffic, then using a VPN won’t be too much different from just using your ISP. In fact, because it should be assumed that there is always a chance that your VPN is logging traffic (even if they claim they don’t), then you really are gambling that the VPN is providing you the protection you need. If logs are kept, then the traffic can easily be correlated back to your real IP.
Again going back to the Harvard bomb threat, if he had used a VPN that logged his traffic, the police could have gone to all the VPN providers that were connected to the network at the time and asked for any logs with a court order (and a VPN company won’t shut down for you). Because a chance of VPN operators logging activity always exists, my own opinion is that if your threat model requires that you hide your Tor traffic from your ISP, then it’s best to not use that ISP at all. Go find some public WiFi (though this is a tip that we should heed whenever a high degree of anonymity is desired).
If you do insist on routing Tor through your VPN, then the setup is fairly easy. Simply connect to the VPN and then open Tor Browser (less safe) or Whonix (more safe).
Tor To VPN
Computer > Encrypt w/ VPN > Tor Entry > Tor Exit > Decrypt w/ VPN > Destination
This configuration, to me, brings a greater degree of advantage to running both Tor and a VPN than the previous configuration does. Routing your traffic through Tor to your VPN has the major benefit of hiding traffic from malicious exit nodes. Because traffic is encrypted with the VPN before entering the Tor network, and because it is decrypted after leaving the Tor network, any exit relays that are snooping your traffic will see nothing but noise. The risks of VPN logging are also reduced, as any logs will have a Tor Exit IP attached to it rather than your real IP (and usually it’s meta-data that is logged, not content).
Of course the major difficulty in doing this is acquiring the VPN in the first place. Even though the VPN server will only see your IP as being that of the exit relay, your anonymity will be ruined if it has a financial record of you. Because of this, washed/anonymized Bitcoins, or better yet Darkcoins, must be used to purchase the VPN. You will also have place the purchase over Tor to ensure that the VPN has no initial record of your account, and that the transaction IP doesn’t appear on the blockchain (remember to check that the site you’re visiting is authentic, and using HTTPS). You must also remember to never connect to the VPN without first going through Tor. This requires some strict security habits, but if your threat model warrants this type of security then you don’t have much choice.
If you do decide to go this route, then the two easiest ways to get this setup is by using either PORTAL or Whonix. PORTAL provides the best protection, as the traffic is sent through Tor transparently using isolated hardware while failing closed (the downside being that you need to purchase and assemble the hardware). Whonix is far easier, but operates at the risk of VirtualBox/KVM being exploited.
If you’re using PORTAL then just connect to the PORTAL router, and then connect to the VPN on your computer. If you’re using Whonix connect to your VPN inside the Workstation VM.
Of course, this topic is often debated, so if you think I’m crazy throw me an email with an explanation as to why!
This article was originally posted on my own site, TheTinHat.com.
To support me writing more content, consider making a small pledge on Patreon. Even just $1 helps!