Onion over VPN: how and why to use Tor on top of a VPN

Everyone concerned about their security and privacy on the web knows the VPN the most efficient and The Onion Router. Did you know, however, that a method called Onion Over VPN exists to combine the two on the network? What is this method? How does it work? Can it be used with a Free VPN ? Is this the same as what some VPNs offer? Is it useful to use Tor with a VPN? We will explain everything to you.

The difference between Tor and a VPN

How does a VPN work?

When you connect to a VPN’s server, the client creates a secure tunnel between your device and its server through which to pass encrypted data. The goal is to prevent an outside observer from intercepting this data and therefore knowing what precisely you are doing. On your Internet Service Provider’s side, they will be able to see the connection to a VPN server, without determining what your destination is, for example a website if you are using your VPN with a browser. As for your destination, it will not receive your IP address, but that of the VPN server. This way, it will not be able to determine precisely who you are and create a profile about you. Since VPN servers are present in many countries, connecting to one of them also allows you to be located in a country other than the one where you are physically located, thus allowing you to bypass geographic blocks.

How does Tor work?

To give you more anonymity online, The Onion Router, better known as Tor, uses a relay system. Each of these relays or nodes is hosted by volunteer users of the service. Tor works on a simple principle. To be able to easily spy on your browsing, it is necessary to have at least two pieces of information: the IP address, to know who is visiting a given site, and the destination, to know which site is visited.

To prevent this information from being obtained by a single entity, Tor passes your data through multiple nodes in its network and protects it with as many layers of encryption as there are nodes on the path, usually three. When you connect to Tor, you arrive at the first node, called the entry node. This node sees your IP address, but not your destination. Also, your Internet Service Provider may see that you are connecting to Tor, without determining why. The first node removes a first layer of encryption and passes the rest of your data to the middle node. This node is the one that knows the least about you: all it receives as information is the address of the first node and the address of the node to which it must send the data. It also removes a layer of encryption and sends the information to the last node, the exit node. The latter does not know your IP address, having only received that of the intermediate node, but it removes the last layer of encryption to know what your destination is and thus send your request to the site you wish to visit. For its part, the visited site receives the IP address of the exit node and does not know where the traffic actually comes from.

The advantages and disadvantages of the “Onion Over VPN” method

In an attempt to further improve the protection of their anonymity and the security of their data on the web, some users are tempted to use a method called “Onion Over VPN” or “Tor Over VPN”. They connect to their VPN first, before finally connecting to Tor. Thus, the data is encrypted by both the VPN and Tor. This method has two main advantages: the Internet service provider only sees the connection to the VPN and therefore does not know that the user subsequently accesses The Onion Router and the entry node receives the IP address of the VPN server instead of receiving that of the user. This method can be useful if you live in a country where connecting to Tor is more suspicious than connecting to a VPN or if Tor is blocked. In this configuration, your VPN also does not see your activity and destination within the Tor network.

However, this is only useful if you explicitly trust your VPN provider service more than your ISP, and believe your VPN’s network to be more secure. In these cases, you need to make sure you use a truly no-log VPN so that the connection to Tor cannot be traced back to you. If the VPN provider delivers on all its promises, you will be more protected if the entry node is compromised.

One of the main disadvantages of this method is its slowness. The Tor network is already known to be particularly slow due to the need to pass information between multiple relays, but adding a VPN adds an additional complication and therefore reinforces the loss of speed. Some people also believe that using a VPN with Tor actually brings no advantages or disadvantages.

Others argue, on the contrary, that using a VPN with Tor introduces an additional risk since it is now necessary to have complete trust in a company which has your personal information (during payment for example), unlike the philosophy of Tor. Tor is based on the principle that you do not need to trust anyone on the network, because it is very difficult for a single entity to control enough entry nodes and nodes. exit to monitor and deanonymize someone’s traffic within the Tor network. And you don’t need to reveal any personal information to use Tor.

Let’s say you decide to use Tor while connected to public Wi-Fi: if you first connect to a VPN that breaks its promise not to keep any logs or personal information, it’s easy to trace your connection to that VPN. Wi-Fi and Tor by identifying yourself using your VPN, where using Tor alone makes this identification more difficult.

In general, The Onion Router recognizes that using a VPN before connecting to Tor can have benefits in some special cases, but this requires people to have enough technical knowledge to do it correctly, otherwise it may introduce errors. additional dangers for their anonymity otherwise.

Onion Over VPN servers of VPNs

Some VPNs, like ProtonVPN or NordVPN, offer Onion Over VPN or Tor Over VPN servers. In one click, they offer to connect to the VPN before automatically passing you through the Tor network. In this way, they promise you access to Onion sites in your usual browser, where normally it is recommended to use the Tor browser.

But Tor Browser is more than just a browser. It is configured in such a way that it allows users to be anonymous wherever possible. It comes with NoScript, an add-on that allows you to control the execution of JavaScript on different pages, the window is of a standard size for all users to prevent them from being recognized by the size of their screen and, Most importantly, every time you visit a new site, a new circuit in the Tor network is created. This way, if Facebook is open in one tab and you visit another site in the other, Facebook has no way of knowing that you are visiting the other site and tracking you there. Tor Browser has many other privacy and data security features that other browsers don’t have by default.

Even though the Onion Over VPN option included in NordVPN and ProtonVPN seems convenient, it can therefore be more dangerous for your anonymity in some cases. Using your regular browser prevents you from taking advantage of the security provided by the Tor browser. It is necessary to determine your privacy needs before using this method.

VPN Over Tor, the mistake not to make

Exit nodes are probably the most sensitive nodes in the Tor network. It is also not recommended for individuals to host them on their personal connection, at the risk of getting into trouble with the authorities. These are the ones who relay the traffic to its destination and therefore obtain this information. If controlled by malicious entities, they can be an attack vector, including man-in-the-middle attacks, and pose a risk to Tor users. Some would be tempted to protect themselves by connecting to Tor then connecting to their VPN in order to hide their traffic at the exit node. Also, since Tor nodes are public, some sites block access to them. Using a VPN after connecting to Tor could solve this problem since the traffic would no longer come from the exit node but from the VPN server.

But it’s a bad idea. With this method, everything goes through the VPN tunnel and you therefore lose the anonymity and confidentiality provided by the Tor network. Additionally, the ingress node therefore gets your IP address and your ISP knows that you are connecting to Tor. To make matters worse, the whole thing is complicated to set up, is generally not supported by VPNs and is therefore completely not recommended.