Tor + VPN

I’ve googled this but I feel that asking this here will give me more reliable info. Does using a vpn with TOR give you better anonymity or does it clash with TOR?

Thank you.

1 Like

You must not have looked very hard, no offense.

It’s one of the most commonly asked questions and in fact you will find it under “Most frequently asked questions” here: https://support.torproject.org/

3 Likes

While the answer is in the FAQ, let’s take a deeper look at what you’re asking.

The way I see it, it’s all a matter of who you trust. If you don’t trust your Internet Service Provider (ISP), you may think that it is better to use a VPN to connect to Tor, but then you’re just shifting the trust to your VPN provider. Many of them say that they don’t keep logs, but it’s up to you to decide whether you believe them. Your VPN provider probably knows who you are in that they know what account you use to pay them which is probably linked to your name, address, etc. which is the same as your ISP.

I can see the argument of connecting to a Tor bridge, then Tor, then to a VPN so you aren’t using a Tor exit node, In that case, you’re not really gaining anything when it comes to privacy/anonymity. The VPN provider still knows what websites you’re going to.

Tor bridge + Tor is the easiest and more secure way to connect if you want to maximize privacy and anonymity. Save the VPN for services where you aren’t terribly concerned about privacy like Netflix.

One last thing, you can always set up your own VPN on a VPS or a cloud server but then you’re again shifting trust to that provider and whether or not they are logging traffic. It’s all a balancing act of who you want to trust.

I fudged up and accidentally pressed post. Here is what I was attempting to say.

Your ISP definitely logs you, a VPN MIGHT log you. Those logs are then retained. Here is an example for USA.

" Time Warner currently retains user data for six months, and Verizon retains data for eighteen months. Then, under the Stored Communications Act, which is codified under 18 U.S.C. § 2701 et seq., the government may access this data."

And for Europe

“The 2006 European Data Retention Directive requires that all European Union ISPs keep records of their users for two years”

The UK

" England has been a strong supporter of Europe’s data retention policies. In 2000, the United Kingdom enacted the Regulation of Investigatory Powers Act (“RIPA”), allowing public agencies to carry out surveillance of private citizens without a warrant."

Isn’t it a good idea to switch DEFINITELY being monitored and recorded to MAYBE getting monitored and recorded?

Many providers accept payment via physical currency posted to their office or Monero transfer. All they would know is which country it came from in the postal method, and not even that via Monero. Some providers auto generate a user ID so you aren’t even known by email.

I disagree, most VPN companies are ran by people who have a long running history in IT security with a track record of defending user privacy, what do you know about the guy running your bridge?

Here is the facts: your ISP is DEFINITELY logging your activities, a VPN is MAYBE logging your activities.

Look at the contract with your ISP and it will openly state that they keep logs.

This is a bit devil-you-know vs devil-you-don’t-know. Especially for VPNs operating in jurisdictions where it would be impossible to hold them accountable. Such as where you spend crapcoin for a token that supposedly delinks you from any logs that a VPN provider supposedly doesn’t keep.

Running Tor over a VPN will only add latency. If your ISP would throttle your Tor connection, it’s also probable they would throttle your VPN connection(s) also.

This is aside from any more technical privacy analysis one might do, as pastly has published about.

So it goes back to – if there’s nothing to be particularly gained by running Tor over a VPN, and there are more unknown risks than the known risks of your ISP, should you do it? That’s something a person has to decide for themselves, I guess. But it seems to me the only rational course for Tor Project is to advise against it, and so they have.

2 Likes

what do you know about the guy running your bridge

Nothing, and I don’t need to, the person running the bridge knows only my IP.

2 Likes

And gets to monitor the size of data flowing through a session, bridges basically create a fixed point which doesn’t change. I imagine lots of agencies run bridges and try to match the traffic time and request against exit nodes. Most people who get in trouble because of Tor have either given themselves away or by monitoring or an exploit, people who have been identified through VPN have only done so through court request. Sorry if this is a big muddled, I’m slightly drunk

1 Like

This can be a good thing, it helps against timing attacks and you are more likely to get nodes which aren’t so close to you.

As I say it has been proven in court (within a 14 eyes country) that some providers legitimately do not keep logs. If they aren’t willing to buckle during an investigation into a high priority target then they certainly won’t just to record some random user. If it’s been proven in court then it’s a solid and genuine design.

If you’ve come into Tor with the intention of looking 100% natural to your ISP (who know everything about you) whilst trying to be anonymous then yes. You will just look like a regular VPN user to your ISP, especially if you use VPN on other devices as standard, YouTube videos in 1080p will pull 8mb+ so whatever you do it will still look natural to them.

Why do you think many repositories or submission pages advise people to use a coffee shop WiFi?

“For security reasons, we advise you, especially if you are uploading documents, not to use your home or work network, but instead to use a public Wi-Fi network in an area where your screen is not visible to security cameras.”

https://www.theguardian.com/securedrop

That’s what they want you to think. New this year.

2 Likes