For those of you who are particularly concerned about privacy and anonymity, you can combine VPNs with TOR. For the average user this is usually not needed. Some technical knowledge is assumed with this article.
What is TOR?
Tor (short for The onion router) is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including “visits to Web sites, online posts, instant messages and other communication forms”, back to the user and is intended to protect users’ personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored.
What are the Drawbacks of TOR?
It tends to be much slower than a VPN as it introduces huge latencies due to the bouncing of traffic from several nodes. Furthermore, TOR traffic is unencrypted at the exit node and there is also no control over who your exit node is so rogue nodes may intercept and read your data. TOR provides anonymity (they don’t know who you are) but not security (your data remains unencrypted).
Why Would you Combine a VPN with TOR?
For not so sensitive activities you can still have decent protection using a VPN with minimal loss in speed. Having the option to further route through TOR can increase security OR improve anonymity depending on which end you put the VPN in.
notthatguy from Wilders Security has an excellent post on the various pros and cons on which end you should be your VPN on with a TOR network. Here is his post reproduced almost verbatim. His views are his and not necessarily of BolehVPN’s but I believe it is more or less accurate:
YOU → VPN → TOR:
- Greater flexibility. This way, you can reserve your ‘VPN –> Tor’ configuration for dealing with only the most mission-critical/confidential data… while still being able to use the VPN by itself for the bulk of day-to-day activity (which probably isn’t as privacy-sensitive).
- Neither my ISP nor my VPN provider can see my final destination. Sure, there’s always the risk that a rogue Tor exit node could be sniffing traffic… but as long as you are careful to keep your Tor activity 100% separate from your real-world identity, it isn’t going to matter. I say, let the rogue exit nodes sniff all they want… they’re not going to find anything useful anyway.
- You keep your “expendable men” on the front lines. In other words, if a Tor node gets blocked by a remote site, so be it–there are plenty of others to choose from. But if one of your VPN servers gets blocked, it could potentially become much more of a hassle.
- If an adversary tries to plant a “bug” on you in order to bypass your Tor connection, you still have the VPN as a last line of defense since it’s protecting the entire network… as opposed to Tor, which only gives you application-layer protection.
- VPN provider see’s where you’re coming from.
- Exit Node can see your traffic.
YOU → TOR → VPN
- Additional privacy layer (our VPN server will not see your real IP address but the IP of the TOR exit node)
- Option to connect to web sites under TOR protection, even to those sites which refuse TOR connections
- Usage of TOR even by the programs which don’t support it
- Access to TOR from all the applications transparently: no need to configure each application, one by one
- Avoidance of any traffic discrimination from TOR exit nodes (packets are still encrypted when they pass through TOR exit node)
- Major security layer in the event you pass through a compromised/malicious TOR exit node (packets are still encrypted when they pass through the TOR exit node)
- Less flexibility. If all traffic is being forced through Tor, it’ll severely limit your ability to do P2P, audio/video streaming, or any other bandwidth-intensive activity… not to mention it’s a waste of bandwidth in general for any activity where you don’t really need that much protection.
- My ISP can’t see my traffic, but they can certainly see that I am using Tor… which might inadvertently make me a “person of interest” in the eyes of a strong adversary. Conversely, connecting to a VPN server in a relatively friendly jurisdiction won’t look quite as suspicious… as there are seemingly more legitimate reasons for a “Westerner” to be connecting to a VPN as opposed to Tor. Maybe I am over-analyzing this, but that is just my personal opinion.
- With your VPN on the front lines, you could still end up losing your VPN account due to complaints or TOS violations. When it comes down to it, I’d rather have an expendable Tor node take the “heat” for some frowned-upon activity, than to sacrifice my precious VPN.
- Unless you’re 100% certain that your financial transaction with the VPN cannot be traced back to you, there’s a greater chance for the VPN to be linked to your real-world identity. If all an adversary has to do is “follow the money”, it won’t really matter how many of layers of anonymity (i.e., Tor) exist between you and the VPN server.