Tor and a VPN are both tools that use a combination of proxies and encryption to make it difficult for snoopers to track you. While they share some similarities, the key difference is that Tor is for anonymity, and a VPN is for privacy.
A VPN encrypts all of a device’s traffic and routes it through a remote server in a location of the your choosing. This assigns the user a new IP address–a string of numbers and decimals unique to a device that can be used to pinpoint the user’s location. The encryption prevents internet service providers from being able to monitor your activity.
While most good VPN providers offer a “no logs” policy, VPNs still require a degree of trust that the provider won’t record user traffic or give in to corporations, hackers, and governments that demand user information. Your activity is private, but not necessarily anonymous.
Tor encrypts the user’s traffic and routes it through several nodes run by volunteers, known as the Tor network. Every time a new website request is sent, the route changes, making it next to impossible for anyone to trace the user. Unlike a VPN, there’s no central authority that controls the traffic flow, so trust is not necessary.
These entry and exit nodes are well documented, however, so both your ISP and the destination server can easily find out if you’re using Tor. Some ISPs, websites, apps, and governments will block traffic to and from Tor exit and entry nodes altogether. In some countries, simply accessing the Tor network will get your name added to an ISP’s naughty list. That means your activity is anonymous, but not entirely private.
VPNs are faster and thus more suitable for streaming video, torrenting, and other download-intensive tasks. Tor is more suitable for anonymous web browsing and accessing .onion websites on the DarkNet.
For extra protection and more flexibility, Tor and a VPN can be combined. Traffic can be encrypted by both and then channeled first through the Tor network and then over a VPN (VPN over Tor) or vice versa (Tor over VPN). We’ll discuss the pros and cons of both configurations further down, but first let’s talk about which VPNs are most suitable for Tor users. Note that while combining Tor with a VPN will improve anonymity and privacy, it will have a heavier impact on connection speed and latency than using either one on its own.
We’ve evaluated the following VPNs based on these criteria:
- Features designed specifically for Tor users
- No logs policy
- Strong encryption
- Anonymous payment methods
Panama-based NordVPN gives users access to specialized servers pre-configured with Tor over VPN, which means all traffic is first sent through the VPN and then automatically redirected through the Tor network. This is great if you have apps other than a browser that you’d like to use with Tor. A double-VPN option is also available, which could be used with the Tor browser for a total of two VPNs and the Tor network, if you can tolerate the speed hit. NordVPN also boasts a strict zero logs policy and 256-bit AES encryption. The company accepts Bitcoin. Apps are available for Windows, MacOS, iOS, and Android.
Note that some experts object to Tor over VPN servers because NordVPN could hypothetically see what users are doing with their Tor connection by analyzing traffic before Tor encrypts it. NordVPN says it keeps zero logs, but if this is a concern, we recommend setting up Tor and the VPN independently.
ExpressVPN recently launched a .onion version of its website for users who want to anonymously make an account. The British Virgin Islands-based company accepts Bitcoin and sticks to a good no-logs policy. Some non-identifying information is logged such as dates (not times), choice of server location, and total amount of data transferred each day. Cutting-edge encryption is used by default including 256-bit AES encryption, 4,096-bit DHE-RSA keys with perfect forward secrecy, and SHA512 authentication. ExpressVPN is highly rated, fast, user friendly and has apps available for Windows, MacOS, Android, iOS, and Linux (command line).
Read our full review of ExpressVPN.
Deal alert: ExpressVPN has a 30 day money-back guarantee so you can try it risk free, it is also offering 3 months extra free on the 12 month plan for Comparitech’s readers.
AirVPN was the only provider to earn a perfect score in our VPN privacy assessment. It’s not the fastest or most user friendlty but it is the only provider we know of to build VPN over Tor into its apps, which routes traffic first through the Tor network and then through the VPN. The traffic is encrypted by both the VPN and Tor before it leaves your device. VPN over SSH and VPN over SSL are additional options. AirVPN maintains strong encryption standards: 256-bit encryption, HMAC SHA1 authentication, and DHE-RSA 4,096-bit encryption keys with perfect forward secrecy. It keeps zero logs and accepts bitcoin, several other cryptocurrencies, and some gift cards. Apps are available for Windows, MacOS, iOS, Android, and Linux.
Stay tuned for our full review of AirVPN or try one of their plans here.
BolehVPN supports Tor over VPN on certain OpenVPN TCP servers. It maintains a zero logs policy except in cases of suspected abuse, such as performing DDoS attacks or sending spam. It checks off all of the criteria for unbreakable security: 256-bit AES channel encryption, 2,048-bit RSA keys with perfect forward secrecy, and SHA-512 HMAC authentication. BolehVPN accepts Bitcoin and Dash. Apps are available for Windows, MacOs, Android, and iOS.
Note that some experts object to Tor over VPN servers because BolehVPN could hypothetically see what users are doing with their Tor connection by analyzing traffic before Tor encrypts it. BolehVPN says it keeps zero logs, but if this is a concern, we recommend setting up Tor and the VPN independently.
Stay tuned for our full review of BolehVPN or try one of their plans here.
VPNs Tor users should avoid
Due to poor logging policies that have led to the arrest of at least one user in the past and more invasive data retention laws recently passed in the UK, England-based VPN provider HideMyAss should be avoided by anyone who values privacy and anonymity.
Be wary of free VPNs. They look enticing on the surface, but in reality they often use substandard encryption, poor logging policies, force users to wait in queues to connect, and impose data or bandwidth caps on users. They often have fewer servers and IP addresses, which makes it easier to trace individual users. Many inject advertisements and tracking cookies into users’ browsers, sacrificing their privacy rather than bolstering it.
Tor over VPN vs VPN over Tor
Should you use VPN over Tor or Tor over VPN? Both have their advantages when it comes to both security and usability. We’ll outline the advantages and disadvatnages here.
Tor over VPN
You can use Tor over VPN simply by connecting to a VPN and accessing the internet through the Tor browser. Your traffic is encrypted by both Tor and the VPN before leaving your device. The traffic flow looks like this:
My device –> Encrypted by VPN and Tor –> VPN server –> Tor Network –> Internet
- ISP cannot see you are using Tor
- Neither ISP nor VPN can see your traffic*
- Easy to set up. Just connect to VPN and turn on Tor browser
- Access to .onion websites
- Flexibility to use VPN by itself with a normal browser for non-critical tasks
- Tor entry node cannot see real IP address
- Websites can block traffic from Tor exit nodes
- VPN can see (and potentially log) your real IP address
- Exposes traffic to compromised Tor exit nodes
*Note that NordVPN and BolehVPN could hypothetically analyze your traffic before it’s encrypted by the Tor network when using their Tor-over-VPN-enabled servers. The trade off is that all traffic can be routed through Tor without configuring individual apps to be used with Tor.
VPN over Tor
VPN over Tor is more difficult to set up because it requires configuration on the VPN server. As far as we know, only AirVPN offers this capability. The traffic flow looks like this:
My device –> Encrypted by VPN and Tor –> Tor network –> VPN server –> Internet
- Neither ISP nor VPN can see your traffic
- Access to websites and apps that normally block traffic from Tor exit nodes
- VPN cannot see your real IP address
- Not vulnerable to compromised Tor exit nodes
- All traffic routed through Tor without individual configuration
- No packet discrimination by Tor exit nodes
- ISPs can see you are using Tor
- Difficult setup, requires VPN provider’s assistance
- No access to .onion websites
- Tor entry node sees your real IP address
- Not application-specific, so unable to run P2P or other programs outside of Tor network without disconnecting from the VPN