Independently, both Tor and VPN provide significant network security, privacy and anonymity. Regardless, no cybersecurity tool is 100% secure, which is why it is recommended to use more than one at the same time. That said, when using both Tor and VPN, it is best to use Tor over VPN for maximum security instead of VPN over Tor.
Tor over VPN refers to connecting to a Tor browser after establishing a connection to your VPN, while VPN over Tor refers to the inverse. To understand why this is important, we must first explore the risks involved in using Tor and VPN and how Tor over VPN covers those risks as compared to VPN over Tor.
Risks of using Tor
Tor secures your data by encrypting and routing it through multiple nodes. The nodes are set up so that they only identify the IP of the previous and next nodes. As such, it is impossible to tell the origin or destination of the information shared via a Tor network. However, the data is decrypted at the exit node, and if that is compromised, then it is possible to see the information shared through the network. The fact that anyone can set up an exit node increases the risk. Additionally, your ISP or those with a backdoor to your ISP can tell you are using a Tor network by identifying the entry node, and you could become the subject of greater scrutiny especially if you connect to .onion domains (the dark web).
Risks of using VPN
A VPN secures your data by encrypting your entire network and the data within then routing it through a secure network tunnel to a different server. A different IP is assigned to the network making it impossible to identify the origin of the network traffic and even if intercepted the data is indecipherable.
However, the VPN client or those with access to the VPN client can identify your IP and the information shared through their network. This could be especially risky if the VPN stores logs of your data. Additionally, since an identifiable client runs the VPN, it is possible for the government to request your data legally, which is one of the dangers associated with free VPNs.
VPN over Tor
Although it is not the best connection, VPN over Tor covers some of the weaknesses of both VPN and Tor. For instance, the information at the exit node is encrypted by the VPN, which guarantees its privacy and anonymity. Theoretically, the VPN shouldn’t “see” the information either, but in reality, since Tor decrypts the information at an exit node, you are at the mercy of the VPN client.
If the VPN keeps connection logs, then the risk remains. Keep in mind that access to the Tor network is via a Tor browser, which in itself introduces web security vulnerabilities such as browser fingerprinting. Additionally, Tor doesn’t encrypt your entire network but only browsing data. Since the entry point of a VPN over Tor connection is the Tor network, your data speeds are lowered considerably.
Tor over VPN
Tor over VPN covers the weaknesses of both VPN and Tor significantly and much better than VPN over Tor. For starters, with the VPN being the entry point of your connection, the entire network is encrypted and not just browsing data. The VPN also optimizes the data speeds, so you get considerably faster speeds as compared to when using VPN over Tor.
Information shared via VPN is not decrypted by the destination server, which means that the information remains secure even as it moves through the Tor network. This eliminates the risks associated with the Tor network at both the entry and exit nodes. With a Tor over VPN connection, it is also possible to browse .onion domains without suspicion since the VPN encrypts the network.
Nevertheless, using Tor over VPN does not cover for the weaknesses of using the VPN, especially regarding connection logs and legal issues. For that, you need to find a VPN that is renowned for its privacy, security, and anonymity such that it does not store connection logs and does not fold under legal pressure.
Using Tor over VPN offers you the opportunity to combine the exceptional anonymity of Tor with the privacy and security of VPN. Your choice of VPN is therefore critical when establishing this connection. You also need to consider the overall security of your devices meaning you need to have at least a secure Operating System and an antivirus installed on your devices.