VPN -> TOR , what's the problem?

Hi, I’ve seen last Techlore’s Incognito video on Tor, where he recommends using Tor separately from VPN instead of VPN->Tor, can someone explain why? He mentioned that with Tor via VPN the exit node is not encrypted, which is the case without VPN as well, if I understood what he meant by that. So I wonder is this a type of full-retard recommendation (like was the initial- don’t ware masks in the US), because you are for some reason expected to exhibit incredible degree of overzealous proactive cretinism necessary to make the efficacy of such approach negative?

1 Like

here’s what’s gonna happen: everyone will post links which are supposed to explain why that’s bad, but no one will really be able to explain it.
I said it once and I still believe it’s true:
you --> Tor --> Website
If the entry node and the exit node are controlled by some agency, they will be able to de-anonymize you easily. It’s even not safe if the entry node was a malicious one, which happened quite often.

you --> VPN --> Tor --> Website
The only thing that the entry node will see is the IP address of your VPN provider. You’re safe. If the entry and exit node were owned by some agency, they will still only get the IP Address of your VPN Provider, you’re still safe.
Assuming you’re using ProtonVPN or Mullvad (or even OVPN which proved that it doesn’t keep logs in a court for a couple of months), you’re a lot more safer than directly connecting to TOR.
I would rather trust ProtonVPN not to keep logs, in case they got to them, than my ISP. Your ISP WILL turn you in, your VPN Provider PROBABLY not.

2 Likes

Beliefs are funny that way. If you think you know more than the specialists in onion routing who work for Tor, good luck.

This has been addressed at: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN

2 Likes

So basically the site recommends it given the VPN provider does what they claim.
I love Techlore and what Henry is doing, but it seems to me, in an effort to address some notion of the ultimate noob, they just gave bad advice.

They’re not recommending anything there. They are just listing the tradeoffs of each approach. Also note:

If you know what you are doing you can increase anonymity, security and privacy.

The problem here is a lot of people think they know what they’re doing, but in actuality, most don’t. They don’t know what tools a potential adversary ISP would be using, they’ve never tried doing a mitm on themselves, they don’t know how Tor handshakes, they don’t know how to use a bridge if they had to, etc etc. They just think the VPN provides them with some extra magical obfuscation for Tor traffic – without having any means to verify the VPN provider is doing anything they’re saying they do, or knowing if they’re doing other things they don’t mention at all (either by 3rd party audit or transparent ops).

The reality is that most people, without any sufficient technical experience in this field, try to trade the devil they know (the ISP) with a devil they understand just as poorly or worse (a VPN provider) then try to run Tor (another thing they probably don’t understand) over both, so they can have delusions they’re anonymous.

Then they try buying drugs on a market and wonder why the market shut down a week later, and then sweat the next (n) months waiting for a knock on their front door not knowing one way or another if the market fucked up, or if they fucked up, because they didn’t know any better at the beginning.

Tor provides a lot of safety on its own. It’s not perfect, nothing is, but it becomes more risky if they are doing things they don’t understand.

If any of this sounds insulting, it’s because I’ve watched wave after wave of people making opsec mistakes over the years and still going in with inadequate knowledge and bad assumptions.

2 Likes

i think this would help you; https://tube.privacytools.io/videos/watch/43ae61c4-d4bf-4b60-bb8e-9a6dbe90a542?start=4m45s

1 Like

The point is that if you have a trustworthy VPN provider using VPN->Tor overall increases your privacy. Its as simple as that and to claim the opposite just because of the idea that someone might interpret such statement as having absolute impenetrable anonymity I find counterproductive and confusing.

It does not.

First, how do you establish trust? You need something you can independently verify (or have a reputable third party audit which you can delegate that to, assuming you trust them).

Second, it is well known (at least to people who work on this stuff full-time and get paid to do so) that many if not most VPN providers all use the same backend infra as their competitors (Hetzner, Leaseweb, etc.) because of various reasons but primarily down to how those handle abuse and are priced. Guess what? Tor guards and exit nodes also use the same things.

So let’s break down the people you’ve invited to the party:

  1. Your ISP.
  2. Your VPN provider
  3. Your VPN provider’s infra (which is likely the same vendors as your Tor guards and exits)
  4. Your mom

Sorry, #4 is actually counterproductive.

Why stop there, when you can also route your VPN across I2P and then put Tor across your VPN? Or even better: Tor->VPN1->I2P->VPN2 and make sure those VPNs are 2-hops for maximum latency. Which will help your anonymity even more.

I could go on. I know you don’t appreciate my tone, probably, but I’m trying to prevent you from making mistakes because of the things you don’t know about.

1 Like

Frankly you seem to be somewhat fulfilling @thatoneguy’s first sentence.
So, your point is that I can’t trust to any reasonable degree any VPN provider, either to not be reckless and shite - meaning they’ll use technology that is easily compromised,
or to be straight evil - meaning they’ll snoop on you and the guard /exit nodes they host? Did I get it right?

For those curious about this and willing to read more; Matt Traudt has written a little piece just about this topic. Link & Onion Service

My favorite part is:

Furthermore, if Alice isn’t really up to anything bad, by not hiding her Tor usage, she helps reduce Tor’s bad stigma. Many people use Tor for a wide variety of reasons. And if Alice believes Tor usage is enough to get her on a list of potentially bad people, she should be proud of that fact. She’s not bad, and she’s lowering the quality of that list. If everyone used Tor, everyone would be on the list, and the list would be worthless.

As an avid Tor user myself I’m all for removing bad stigmas around this amazing technology. So this is an interesting case. I personally use Tor all the time for everything (that I can) and never hide it. My threat model is Big Tech advertising and Tor defeats that quite perfectly. Also I hate mass surveillance from a pro citizen anti corrupt government point of view.

When it comes to the list part I really feel that it’s not a good thing for us all to be on a list. I think that doesn’t make it worthless. I see that as an opportunity for the Government to abuse those on the list.

I am in disagreement with that. If they did run both the Guard and Exit that you got for one of your circuits for a period of time (since they do change and you can change them at will) you still are mixed in with all the other Tor traffic. It’s certainly not an easy task. Can it be done? I’m sure it can, if the stars align just right, but it’s not easy what so ever. You’ll also need more evidence than just some timing correlation. Well, that is if you live in a country with a good system of law.

That’s interesting and something I had not put much thought into.

My one issue is I really like the idea of just using Tor loud and proud. I don’t mind my ISP or Gov seeing me using because even if they did know what sites I was visiting it would not net me any legal trouble. It’s just every day stuff. I do want to put a VPN on my home router so that I can have my other internet traffic not be seen by my ISP or Gov. I’m talking online video gaming, PC applications that call out to a server, updating my various Linux computers and to get all my chat applications going over the VPN too like Element, Wire and Signal. I want this so that my ISP doesn’t sell or collect this metadata and so that my Government doesn’t collect this metadata either. Once I set up the VPN on my home router I then will be doing Tor over a VPN which makes me sad. It’s not that big of a deal but I don’t want to be hiding my Tor usage. I’m a proud Tor user, darn it! Anyone have any thoughts?

1 Like

Consider setting up a raspberry pi or similar as a hotspot routing traffic through Tor (with wired connection to your standard router).

Debian has convenient ways to do updates over Tor too, with sources.list and a couple more changes.

Don’t forget to run Orbot on phones, in full VPN mode if you can.

1 Like