Home » Articles » How To Use VPN Plus Tor To Get Double Encryption?
Click Here To Hide Tor

How To Use VPN Plus Tor To Get Double Encryption?

Guest post by privatoria.net:

Tor is a great solution for people looking for on-line privacy and anonymity. Keeping all the positive sides of Tor in a mind one also has to take its vulnerabilities into account as well. Among those are incompatibility with P2P downloads and variable connection speed (it all depends on the exact Tor node you connect to every time). There is a solution to stay with Tor and forget about all of its weak points. In this article we showcase how to use popular Tor technology with good old VPN technology.

–> Click here to see the best VPN’s for privacy <–

Advantages of using VPN plus Tor:

  • Hide the fact of using Tor from your ISP
  • If your traffic is being monitored by a malicious Tor exit node, it will see only IP address of your VPN provider. It therefore provides an additional level of privacy.

So, using VPN plus Tor will help us achieve double security and avoid corrupted Tor nodes.

What are the ways to use VPN through Tor?

Tails OS

This is one of the most popular security-oriented operating systems that you can get on-line for free. It is based on Linux and offers old-school user interface. It is not the best-looking OS in the world, but it takes your security extremely seriously. It offers certain features to provide secured web experience:

  • Tor web browser (Iceweasel) is installed by default
  • All data is stored in RAM (which means it all get deleted when you power off the system)
  • It comes with whole range of open sourced security tools that will be helpful to any Internet user with privacy concerns

Some users would claim that this OS is not something you can use on a daily basis. To some extend that might be true. OS developers do not advise to use it every day, however stating that you have to start a new session for every task in order to have the best security.


Use VPN+TOR in Tails OS

Using VPN+TOR does not differ from using a stand alone VPN in any Linux-based system. We recommend utilizing OpenVPN protocol. Once OpenVPN daemon is installed, launch it to activate VPN connection. After that you can run Iceweasel and use Tor as if you were using just that. One major downside to this method is that both Tor and VPN go through the same channel, which might decrease your connection speed. You also do not isolate your VPN connection from Tor, which provides lower security level and gives additional loophole that can be used by an attacker.


This OS runs inside a virtual environment to prevent any DNS leaks. In fact, two separate virtual machines are needed to get this thing to work:

  • Tor gateway Virtual Machine
  • Workstation virtual machine

Tor gateway VM uses host OS’s network hardware and connect directly to Internet via NAT. Once connection is established it starts to force all traffic through Tor nodes and that’s what this is really all about. The Workstation VM is connected to Tor gateway VM and that’s the only way it gets Internet connectivity. So now we can route all our Internet traffic through Tor without Tor browser. The only downside to this is that you need to get a relatively powerful computer to actually make this work as you will be running 3 OS’s (1 host and 2 VM’s) at the same time.


VPN+TOR in Whonix

Unfortunately, we were not able to set up a reliable VPN+TOR connection on Whonix OS. The reason for that is Tor gateway VM that routes 100% of system traffic through Tor nodes. OS architecture does not provide the functionality to utilize both Tor and VPN at the same time. Activating VPN on a Workstation VM will most likely kill Internet connection. Whonix is still a great solution for Tor enthusiasts.

Ready to go VPN+TOR solution

There is a way to get a VPN to work with TOR without specific browsers, VM’s and OS’s. Great example is Privatoria’s VPN plus TOR. The way it works is simple that makes it a must-try.

The request is sent from the user machine to the VPN server via secure encrypted channel. The VPN server routes that traffic through Tor net using random Tor nodes to provide optimal security.


This scheme has a lot to offer, most notably:

  • It will let you use VPN+TOR the right way with each of them having their own channels to get better security and speed
  • It will spare you from the installation pains
  • It works with any OS’s and browsers
  • It will ensure seamless experience without breaks due to dynamically changing nodes with checking their quality in real time

Here’s how you can configure VPN+TOR on any Debian/Ubuntu based Linux distro:

Open your terminal emulator and type in







Overall VPN+TOR is only getting it popularity. It is still a young technology, which means there is a room for improvement. This solution, however has more to offer that its components used alone. Therefore we do recommend that you give it a try a let us know about your experience.


  1. how secure is i2p vis á vis malicious exit nodes?
    (in particular, wrt BTC….lotsa BTC gets ‘oiked’ via Tor exit nodes :( )

    • There is no such thing as a malicious exit node if you are using HTTPS. An exit node cannot view not inject content so long as it is encrypted. If you use HTTP Everywhere and do not allow http you never have to worry about who is running the exit node. The worst an exit node code do with https is try to redirect you to a non https version or clone but if you use https everywhere the trick won’t work. Never allow http and you are always golden. The moment you allow any non https you could be screwed the moment the page loads even if you realize that it redirected you and you don’t submit any info. The reason being is a malicious payload could have been injected and you are infected and your machine is taken over without you knowing it. https only protects you from injection when the site hasn’t been hacked. If that happens someone can put any content they want on the website, malicious or otherwise, of course.

      An exit node cannot see your IP whether it is malicious or not.

  2. Does anybody remember Astor from the old silk road forum would always argue against VPN + TOR?

    The guy gave terrible security advice. I was absolutely sure that he was a government infiltrator.

    • Actually that is great advice, not terrible advice, for anyone trying to remain anonymous. This goes to show how people who don’t understand technology can convince themselves they are taking extra measures for anonymitity and end up making themselves identifiable. More is sometimes less, much less!

      If the VPN is being used by a lot of suspect people it would become a easy dragnet source of intel for those who wanted it. Once the VPN is compromised those people would know the identity of everyone using the VPN to tunnel thru it for Tor. They now have a huge list of people on their radar to target and see if they correlate to what they are interested in… People they would otherwise have never known about if they were only using Tor alone.

      Real world, many people on a target site recommend or say they use a certain VPN. This VPN doesn’t have much publicity outside the suspect sites. The interested party gets access to the VPN and everyone who was using it is now on the suspect list.

      The only thing a VPN will do is keep a isp from knowing you are using it but who cares plenty of people use Tor for totally legitimate reasons so just using Tor is not a red flag. the exit node thing in this article is false and the author should correct it. Exit nodes never know the IP and entrance nodes never know the site or content. That is how Tor keeps it totally anonymous with onioning.

      If a exit node knew your ip then there would be no reason for Tor to exist since it would be no different than using a single proxy. Fortunately for the author doesn’t understand how Tor works and this is not really the case.

  3. Using whonix. you just connect to a vpn on your host OS, and then do your shit inside whonix workstation which has its all traffic torified trough whonix gateway and you get vpn + tor, very simple

    • anon

      This wasn’t meant to be good OPSEC advice, this was just an advertisement.

      It should be ignored as utter bullshit.

    • gdnase

      So if i connect clearnet website via Tor enabled browser in Whonix, the Tor exit node will not see clear traffic? it will see VPN encrypted traffic because requested/destination IP will be VPN Server which then contact clearnet site and get response which it encrypt contact entry node supply encrypted data and entry node will encrypt encrypted data one more time?

  4. why does tails recommend not to use a vpn with there OS


    • Jellybean

      The first few lines on that page explain their reasons.

      Some users have requested support for VPNs in Tails to “improve” Tor’s anonymity. You know, more hops must be better, right?. That’s just incorrect — if anything VPNs make the situation worse since they basically introduce either a permanent entry guard (if the VPN is set up before Tor) or a permanent exit node (if the VPN is accessed through Tor).

      Similarly, we don’t want to support VPNs as a replacement for Tor since that provides terrible anonymity and hence isn’t compatible with Tails’ goal.

      • Test Name

        Actually, I have to disagree with TAILS on one minor point. There argument ONLY applies if you never use Tor at home, or any network that can be associated with you. The reason being that if you access Tor at home, then your ISP is obviously your entry guard… And ISPs love to spy. So if you use Tor at random locations all the time, then a VPN isn’t right for you. But if you access Tor at home, then you have a permanent entry node anyway (your ISP) and VPNs are largely considered more trustworthy than ISPs, so using a VPN before Tor makes perfect sense.

  5. Daily reminder that any north american or top ranking european country vpn is working with interpol

  6. I thought exit nodes weren’t supposed to “see” the ip address of the person connecting through it?

  7. A VPN can add extra security but only if the VPN provider doesn’t keep logs so that they are not able to provide info to LE if they’re subpoenaed. This should be backed up by history preferably.
    Also, you should be able to pay and sign up anonymously.
    I cannot much info about this on privatoria´s website. Because of that they´re not my first choice.

    • Privatoria is based in the Czech Republic. According to the official clarification issued by the Telecommunication Office of Czech Republic, Privatoria.net is not a participant of electronic telecommunications market in the Czech Republic.
      Therefore it is not required to keep a history of the traffic logs for the last 6 months on our servers, as well as, provide the police and Security Service of Czech Republic so-called “backdoors” to listen to conversations, correspondence view and browsing activity of Privatoria.net users.

      To create an account we do not require any personal info (even e-mail).

      You are also able to pay for service using anonymous payment methods like bitcoin.

      • Jolly Polly

        I’ve taken a second look at your site and I have to admit, the information about (no) logging is on your website. It is at the bottom under ‘privacy policy’.
        Maybe it’s an idea to put something like ¨Absolutely no logs!¨ in big letters on the page? ¨No data mining¨ is nearly the same but I think most customers are looking for the words ¨no logs¨.. anyway, just a tip!

  8. The article is just an advertisement. Exit nodes can’t ID your IP. It can eavesdrop on your communication so use pgp. By going VPN –> Tor you are putting total trust in that VPN. If the hosting VPN is malicious then you will be directly connected to your Tor use. No correlation algorhythms needed. You are fuked.

  9. You might as well just use bridges to connect but that also requires trust in the bridge.

  10. Don’t use VPNs!!! Instead, do the following:

    1) Connect using anonymous Wi-Fi hotspots; vary those as much as possible.

    2) Use obfuscated bridges at all times; Tor should automatically vary those for you!

    3) If you do use a VPN, be sure to vary that, also! If you must pay for it, do so anonymously!

    In conclusion,

    Anonymous Wi-Fi hotspot -> varying VPN -> Tor obfuscated bridge -> Tor Network

  11. Thanks for the article! I personally use the UnoTelly DNS option. It’s ideal for content streaming because unlike VPNs, there is no internet speed loss when using it.

  12. A good VPN is helpful in obscuring your traffic from your ISP, and may offer some protection from local law enforcement. Combined with Tor, it does offer a little more protection from bad exit nodes by obscuring your IP. You want to choose a VPN that claims to do, or keep, no logs. Ultimately, you have no control or absolute assurance over this, and can only research the VPN provider’s reputation.
    This is good enough security for most people, for whom advertisers and data collectors, and their own ISP, are the biggest problems.
    What I would find helpful would to be able to test whether Tor, or any other network service, is indeed going through the VPN. It’s not as straightforward as it is with a normal browser, where you can just check what IP address you’re showing, and not all apps or processes are easily force bound (to tun0 on Mac OS, for instance). Does anyone have any ideas on verifying whether an app or process is using the VPN, specifically on Mac OS?

  13. As the poster stated above, if you use an open, public Wi-Fi hotspot and spoof your MAC address, you will be completely safe, especially, if you are using the Tor Browser with a bridge and have the highest security settings enabled. And, if you’re not using Tails, then you need to be using TrueCrypt with full system encryption. (And, yes, it is still safe to use!)

    Anyone who disagrees is either ignorant, a liar, or is with LE (which means, all of the aforementioned!)

  14. This has some major misinformation. Exit nodes can’t identify your ip whether they are malicious or not. That is the whole reason for Tor- it is onioning. Entrance nodes can’t identify what site you are trying to connect with or the content being transmitted, they just know that you are using Tor network but not in what capacity. Again, onioning. Relays can’t identify anything.

    The only way an exit node can identify you if you transmit personally identifying info in the clear (ie Non Https). You should never be using non https for anything that transmits personally identifying info or anything else you don’t want to be public knowledge whether or not you use tor. You should have Https Everywhere installed as a matter of good internet basic security and only allow non https for non important transmissions.

    Likewise you should not have flash or java plugins installed on your browser. You should use Chrome or Ice Weasel. This is just for good general safe web usage, not just for trying to stay anonymous when using Tor.

    VPN doesn’t offer “double encryption” nor does it offer you any protection from being exploited like Tor users have been in the past by using malicious payloads (often flash) to install malware on your machine that reports back your real ip and web usage history.

    In fact using a VPN in some instances could be worse. A VPN can be compromised and now your traffic is being monitored before it hits the tor network. Even if it is end to end encrypted with https the monitor can still know what site you are connecting to and make timing attacks very easy.

  15. Peer review requested-

    I’m thinking of starting my own VPN. I will know that I keep no logs. :)

    Also, there is plausible deniability for anything I personally do through my own vpn.

    With many people using my vpn. I would just be one of the hundreds, connecting from some other VPN ip… any law enforcement requests for a users IP would reach me first. :)

    thoughts anyone?

  16. Start your own VPN company. Be sure you keep no logs.

  17. Its interesting that both deepdotweb.com and privatoria.net page request canvas fingerprint…..wtf

  18. I’ve been trying to use this VPN for the 4th time and now I give up. I downloaded the configs. Did a “sudo openvpn pr-openvpn.conf” login: [email protected] password:mypassword and it was giving me AUTH_FAILED all the time..
    Tried changing the password, same issue.. I triple checked the passwords, changed them also.. still nothing..

    I really wanted to try b4 buying it. :(

  19. This editor of this article has gotten confused between a Tor Exit node (the last node) and an Entry Guard node (the first node).

    An exit node does not see the IP of the user, it only sees the IP of the node before it (the 2nd node).

    It is the Entry Guard node that sees the user’s IP.

    Furthermore, yes if both the Entry Guard and Exit nodes are malicious, then they can perform such things as timing attacks on the user to find out both the User’s IP and Website that they are visiting.

    A VPN before Tor will shift to make the Guard Node not know the real IP of the user.

    With that said, timing attacks can then still be performed from the ISP, so, a VPN only protects Tor level only attacks.

    Tor is not yet able to defeat timing attacks.

  20. I am running a VPN on my host machine, with Tails running from USB through a Plop boot manager .iso VM.
    Is that relatively safe?

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *