Published: Aug 30, 2023
You may be thinking “people say that you SHOULD use a VPN with Tor, so why should I take your word over theirs?”
You are correct. People suggest dumb things all the time.
What I will be trying to do is use logic (cryptography, information systems, weighing the pros and cons that come from using a VPN with Tor, etc.) to show why it’s probably not the best idea.
Let’s get started.
I am not the only person who is going to tell you that it is not a good idea to combine a VPN with Tor for the purpose of anonymity. This thread is essentially going to show you that people indeed combine Tor with VPNs, but for other reasons.
Tor on their official website are advising against using a VPN with Tor.
“Can I use a VPN with Tor?”: https://support.torproject.org/faq/faq-5/
Let’s debunk this.
“Using Tor with a VPN is a good way to add another layer of security.”
No it is not.
The longest TLDR in history: Additional layer of encryption FOR WHAT? Your .onion encrypted traffic? Redundancy ≠ security but in fact the opposite. A VPN is just one extra layer of complexity to your OpSec foundation that you have to worry about. All of that risk for what? It has a very little return on investment.
Please do not waste your crypto on VPNs with the intent of anonymity.
“This is because a VPN protects you in case the Tor network is compromised, and it hides Tor use”
What they are referring to is your real IP address behind Tor is somehow exposed, whether it be the Tor network itself being compromised, a node(s) in your circuit being compromised, or maybe you forget to disable javascript and connect to a site that runs malicious javascript code.
We will play into this hypothetical that you are using Surfshark VPN. Let’s also assume that you payed for this VPN anonymously and only connect to it anonymously. This means you are using a Wi-Fi network that cannot identify you (stolen Wi-Fi, open Wi-Fi, etc.) to connect to the Tor network where you then connect to the VPN that you payed for anonymously with crypto (covered in security thread part II).
The final connection chain looks like this:
Stolen/Free WiFi > Tor > VPN.
Notice anything wrong about this? Remember how I mentioned that having a VPN as your end node only offers convenience factors and not anonymity? This is because the VPN can just be subpoenaed, which makes it pointless from an anonymity point of view. We also know that you can’t connect to .onion sites using Tor if the VPN is your end node.. WHICH MEANS your connection chain has to look like this:
Stolen/Free WiFi > VPN > TOR.
With this connect chain, Tor is the end node.
Let’s continue going into the details with this connection chain.
In this case, if one of your Tor relays are compromised and your IP behind Tor is leaked, they will get the IP of the VPN server as it’s the hop before Tor, and if they subpoena the VPN, they get the stolen/free Wi-Fi IP… but at that point, why not just skip the VPN as a whole?
If you don’t use cypto, and if you pay for the VPN with your real identify like, or connect to the VPN with your home WiFi/any network that can identify(your work Wi-Fi, friends Wi-Fi, parents Wi-Fi, etc.), then it’s pointless. Literally.
People will say “the VPN doesn’t hurt anything. It’s an extra layer of encryption, an extra node that pattens your real IP, and doesn’t hurt as long as you purchase and connect to it anonymously!”
All I have to say to that is: Most people who I’m aware of who know what they’re doing who are current/former cybercriminals (blackhat hackers, carders, DNM vendors, or anything that requires you to have the skill of anonymity and OpSec mastered).. do NOT use commercial VPNs.
Will you find the occasional person who does genuinely know what they’re talking about and are reputable online who combines Tor with a VPN? Yeah. However far little do it for anonymity.
There are wanted individuals who have done awful things who are actively free despite being under heavy monitoring/funding from numerous government agencies due to their online anonymity who do NOT use VPNs. The way they do it is by properly utilizing encryption (Tor, PGP, etc.) as well as understanding forensics and how to counter it (Tails, Whonix, etc.) which allows them to be free. You can use a VPN all you want, but if you fail to utilize encryption, as well as taking the proper precautions to prevent forensic investigators from obtaining evidence tied to your activities, then it’s game over.
(Note: I obviously do not endorse the activities of these individuals. The point is that if the police are after anyone, it’s THESE GUYS. You are low hanging fruit compared to them and if they can get away with their heinous crimes, then you can get away with something to a lesser degree)
Back to the quote.
The quote mentioned it hides Tor use, this is true. However, you can just use a Bridge. They are more effective and are built into Tor for free. If you don’t want your “ISP to know you’re on Tor”, using a VPN will just tell the VPN that you’re using Tor instead of your ISP. You don’t have to go through all of the hoops of obtaining crypto anonymously.
More sources:
Did you know that Tails also says VPN’s don’t offer strong anonymity?
Source: https://tails.net/support/faq/index.en.html
Notice how they say “VPNs have clear benefits over Tor”? Over Tor means the VPN is the exit node (You > Tor > VPN).. which of course means you cannot use the dark web.
Does this sound familiar? Hmmmm. Remember how I said people combine a VPN with Tor for convenience reasons on the clearnet and not anonymity reasons on the darknet?
More sources:
“When Cybercriminals with Good OpSec Attack”: https://www.youtube.com/watch?v=zXmZnU2GdVk
Now we’re actually getting into the fun territory because this video covers a group of cybercriminals who had a really good OpSec foundation. The video covers their OpSec foundation, how they were caught, and all of the other interesting information. This is one of the many examples of utilizing publications on the internet to learn from others. This is a rare situation where the person(s) who were caught actually knew what they were doing. I recommend watching the whole video.
I recommend taking notes about their operation in terms of OpSec. You don’t have to go as far as flashing custom firmware on routers, but pay attention to their computer opsec. They are using nested encryption with Wi-Fi that does not tie to their identity. It’s important to note that they were an entire cybercriminal group or “Gang” or whatever, so they had to be overkill. The more people involved = more likely for someone to make an OpSec mistake and take everyone down with it, which is why they had a dedicated “OpSec” guy who custom configured their “work” computers.
I’ll cover parts of their OpSec foundation that you should try to replicate if you want to be a ghost online or if you’re doing anything sketchy/illegal:
- Full Disk encryption (LUKS & LVM on Linux)
- Encrypting external media (which is where any evidence of your activities should live)
- stolen/free WiFi (NEVER, under ANY circumstances use your home WiFi (or any network that can identify you) if you’re doing anything illegal or want complete anonymity)
Oh… and you should be using a Torified distro such as Tails, with Tor bridges and javascript disabled via Tor engine (about:config), of course. Tails is not a “must have” obviously but is nice to have as it’s configured by default to do many things that will aid in your privacy and anonymity.
More sources:
“Don’t Use a VPN with Tor”: https://www.youtube.com/watch?v=_dRdmmspH9E
This video was made by a guy named Heath Adams. He is an ethical hacker who owns his own cybersecurity company named TCM Security.
I wanted to include Heath Adams as a resource for a couple of reasons. Firstly, he is not an anonymous figure. This means that his training, background, history, etc. is all publicly available information. This makes him more of a creditable source, as apposed to linking you a story of some random guy on the darknet who goes by his anonymous handle and you just have to kind of “trust” that he knows what he’s talking about.
Heath Adams has every industry professional certification you can think of:
- OSCP, OSWP, eCPTX, eWPT, CEH, Pentest+, A+, and more.
Although his bread and butter is hacking legally and not so much anonymity/privacy, he is still a reputable resource. Having the knowledge to break into systems also teaches you how systems are created/maintained and how they work from a networking perspective and so on. It all goes hand in hand at the end of the day.