Using the TOR Browser over VPN

Using the TOR Browser over VPN

“The onion routing protocol, it’s not as anonymous as you think it is. Whoever’s in control of the exit nodes is also in control of the traffic. Which makes me… the one in control.”

- Elliot Alderson (Mr.Robot)

The quote above isn’t entirely accurate. I covered this during podcast episode 008, but thought I’d revisit this much-debated topic once more.

The TOR Browser connects to the TOR network by first connecting to an entry node (or entry guard). Traffic is encrypted as it passes through each node in the network. From the entry node, it connects to a middle relay, which then connects to an exit node. This is why it’s called The Onion Router, as it functions like layers of an onion. The only traffic that is unencrypted is from the exit node to the destination web server.

If Elliot is in control of the exit node, he will see encrypted traffic coming from the middle relay, and he WILL also see the unencrypted traffic to the web server in plain text, unless the connection to the web server is secured with HTTPS. The unencrypted traffic from the exit node to the destination web server does not contain the client’s IP address. The exit node can see the contents of the traffic (if it is not encrypted by other means like HTTPS), but it does not reveal the client’s IP address though. The entry node in the TOR network knows the client’s IP address, but it does not have the capability to decrypt the entire traffic or see what websites are being visited.


Understanding the differences between TOR (The Onion Router) and VPNs (Virtual Private Networks) is important. Both can enhance your online anonymity (also read my other blog), but they do so in different ways, and both have their merits for different threat models and use cases.

TOR (The Onion Router)

The key point to remember about TOR is that it’s a decentralized network, designed to anonymize internet traffic by routing it through multiple nodes. By using a decentralized approach, this means that no single node has control over the entire network, making it a ‘trustless’ system. This means that no single node in the TOR network can know both the source and the destination of the data. Instead, each node only knows the node immediately before and after it.

When using TOR, your internet traffic is encrypted and routed through this series of nodes, with each node peeling away a layer of encryption, like an onion. This process helps to obscure your real IP address from the sites you visit.

Security Points in TOR:

  1. Entry Node: The entry node is the first node your client connects to. It knows your client’s IP address but not the final destination.
  2. Middle Nodes: These nodes exist between the entry and exit nodes and only know the previous and next hop.
  3. Exit Node: The exit node is the last node and connects to the final destination.

As Elliot mentioned in Mr. Robot, TOR isn’t without risks. A threat actor controlling both the entry and exit nodes can perform traffic correlation attacks, correlating (linking) the source and destination IP addresses. Additionally, ISPs can detect TOR because TOR node IP addresses are public. Just because your ISP knows you are using TOR isn’t a bad thing per se, but in some regions around the world, this could be a bad thing.

VPN (Virtual Private Network)

VPNs are very different and operate with a centralized model. When you use a VPN, you are routing your internet traffic through the provider’s VPN server, essentially creating a tunnel, so websites you visit only see the source IP of the VPN server (not your real IP). While this can provide a high level of privacy from the service you are visiting, it also shifts trust to the VPN provider.

Security Points with VPN:

  1. Using a VPN means you are shifting trust from your ISP to the VPN provider. This provider has the potential to see your real IP address and, if it logs data, your browsing activities. We must always assume, no matter what the VPN provider’s marketing says, that they do have the ability to log your traffic.
  2. Your ISP can see that you are connecting to the IP address of the VPN server, but not what websites you are visiting (provided DNS is set up correctly!).
  3. The website or service you are visiting only sees the VPN server IP address.

When you boot your computer, or even a phone or tablet, many background services start to ‘chatter,’ whether that’s Dropbox, Google, Adobe, Microsoft, Apple, and so on. If you connect to a VPN after your computer boots, using a VPN client, then these services have already revealed your real IP address. It’s not only important to use an always-on VPN, but to also minimize how many services are starting with your computer. If you use Windows, look at the tray icons by the clock. Each one of those is establishing a connection to the cloud, not to mention many services that run as part of your operating system (Windows, Mac, or Linux).

Comparing the Two

The choice between using TOR or a VPN (or both) largely depends on your specific threat model, and your security and privacy goals. As mentioned previously, VPNs are not, and should not be used for anonymity. Unless, of course, you want basic anonymity from the websites you are visiting. Remember, a subpoena or court order can force your VPN provider to start logging traffic and to reveal your real IP.

TOR is more suitable for scenarios where anonymity is critical, such as avoiding government surveillance or protecting the identity of activists and journalists. Since TOR is a decentralized model, unlike using a VPN provider, a subpoena or court order won’t cut it. The downside? It’s slow and often blocked by legitimate sites since ‘TOR must be bad,’ although I disagree.

Using TOR over VPN

So which is safer, using TOR over VPN or without VPN? If you choose to use TOR over VPN, first be careful your VPN client isn’t leaking your data. OpenVPN or services from trusted VPN providers such as Proton should be safe, but there is still a possibility of something going wrong. If you use VPN on pfSense, then all your traffic is routed over the VPN, including TOR.

The answer really lies in whom you are shifting the trust to. If you use TOR over VPN, you are shielding the fact that you are using TOR from your ISP, but now your VPN provider can see that you are using TOR. Personally, I trust Proton more than my ISP. I do know that my ISP monitors traffic and even sells it!