Is this a valid strategy for anonymity and is it safe?

So I know everyone talks about VPNs with Tor. Or in other words, Tor over VPN. I saw Jonah’s YouTube video on the subject as well as Mental Outlaw’s video and also other professionals who discussed the subject matter.

But what is less talked about is routing traffic through tor but then using proxies from outside the Tor network after first connecting to Tor. So basically, Proxies over Tor or Tor over proxy.

Is connecting to Tor first then to proxies or connecting to proxies then tor even remotely safe? What about raw proxy chaining on its own? How does any of this compare to tor over vpn? How does it compare to just tor or just vpn?

Disclaimer: I don’t generally have a lot of experience using proxies - this is effectively my opinion and isn’t based on anything other than an educated guess. I just want to try to offer what I can to the conversation.

I wouldn’t bother connecting to anything other than your intended target after going through Tor. At BEST it achieves nothing, at worst it immediately de-anonymizes you. Connecting to a proxy just adds additional information about your habits (making you stick out from normal Tor users who don’t do this). It could add more information depending on your relationship to said proxy (if you run said proxy or are one of the few people regularly using it, I’d imagine this drastically reduces the search space of “who this Tor user might be”).

Trying to get fancy with it is exactly how you end up with unsafe Tor configurations (though I still think it’s valuable to ask these questions when they arise). I’d only ever recommend a path that ends in Tor → Internet.

I imagine proxy chaining alone suffers similar issues - there likely aren’t many people doing it, so at best you’re just another proxy user, at worst you’re “that one guy who proxy chains”.

My understanding is proxies don’t typically encrypt traffic. So a proxy chain is conceptually like a weaker, unpopular, unencrypted Tor. All the slowdown, none of the anonymity. At best, hiding your IP.

A VPN does what a proxy actually does - masking your IP - but generally in a more secure way (with encryption). A proxy alone may be faster than a VPN, but chaining multiple proxies could easily lose that singular upside.

Tor over VPN is, as covered on Privacy Guides, generally safe and acceptable as long as the order is You → VPN → Tor → Internet. Your ISP sees you connecting to your VPN, and nothing else. Your VPN sees you connecting from your real IP to your entry node, and nothing else. Your entry node sees you connecting from your VPN, and so forth.

Tor without VPN (You → Tor → Internet) should still provide anonymity, but does allow your ISP to see that you are using Tor at all to begin with and your entry node your real IP. Depending on your threat model, that may be undesirable.

VPN alone (You → VPN → Internet) doesn’t provide anonymity, but does mask your IP to external sites and your traffic from your ISP.

As for You → Proxy → Tor → Internet, I imagine at best it’s a worse version of You → VPN → Tor → Internet, and at worst it’s no better than You → Tor → Internet.

For Tor alone, I quite like this interactive graphic the EFF made. It doesn’t cover proxies or VPNs, but I think it’s still helpful for understanding who knows what if you just use Tor.

TLDR: You should probably just stick to You → Tor → Internet or You → VPN → Tor → Internet. If you NEED to use a proxy, it should be You → Proxy → Tor → Internet.

2 Likes

Also, welcome to the forum and thanks for joining us! (sorry, I was very focused on writing that and forgot)

1 Like

Privacy Guides addresses this on their knowledge base:

We very strongly discourage combining Tor with a VPN in any other manner. Do not configure your connection in a way which resembles any of the following:

  • You → Tor → VPN → Internet
  • You → VPN → Tor → VPN → Internet
  • Any other configuration

Some VPN providers and other publications will occasionally recommend these bad configurations to evade Tor bans (i.e., exit nodes being blocked by websites) in some places. Normally, Tor frequently changes your circuit path through the network. When you choose a permanent destination VPN (connecting to a VPN server after Tor), you’re eliminating this advantage and drastically harming your anonymity.

You can still safely connect to a VPN/proxy before Tor, it’s just strongly recommended you don’t connect to them after Tor.

So is connecting to VPN then TOR the easiest and most effective way to go? And would you recommend I just do that?

And before connecting to Tor, should I use the same VPN I use for social media and daily life or should I get a different VPN connection? Obviously, I don’t use TOR for social media or my daily routine. But should I switch VPNs before starting Tor?

Same VPN provider is okay. You shouldn’t use the same connection/server though before connecting to Tor.

It’s less of an issue if your VPN is reputable and keeps a strict no logs policy. But a threat actor can use this info among others to deanonymize you. It essentially creates a PERMANENT entry node as long as that connection remains active, so you must able to trust your VPN provider.

I use Mullvad so your saying I should get a different Mullvad account before connecting to TOR or just a different connection and server?

Also, will using a tool like Anonsurf, TorGhost-NG, or TORCTL to connect to tor after connecting to a vpn work? Or will that cause me to route vpn through tor? I know the right way us tor through vpn, rather than the other way around like your saying.

Will it help if VPN is on host OS and torCTL is on a VM?

Nope. I meant a different server in the Mullvad client so you do not need to switch accounts. That’s all unnecessary.

I’ll be honest, you don’t need to use these tools to route everything to Tor. If your threat model involves hiding the fact you are using Tor or routing everything through it, please use a dedicated OS (Whonix VM, Qubes-whonix) with a Tor bridge or VPN installed on the host system. You can also use bridges with Tails as well if anti-forensics is more your alley.

If you want to hide the fact you’re using Tor from your ISP, sure. If you don’t care about that, then using Tor on its own is fine.

The only scenario I could think of where this might be beneficial is if you’re the target of a threat actor who has managed to become your Tor guard node. I don’t know your situation but that sounds very unlikely. If that ever were the case, you have a whole lot more to worry about than how you’re connecting to Tor.

In other words, I doubt you’ll have a tangible benefit from switching VPN servers before connecting to Tor, but it definitely wouldn’t hurt and it only takes a few seconds so you might as well do it.

Do you recommend using tools like Anonsurf or TorGhost-NG or torctl to connect to Tor? If I connect using these after I connect to Mullvad will they go through the VPN or will it turn i to routing the VPN through Tor? Will it fix anything to connect to Anonsurf through a VM with Mullvad connected on my host OS?

The reason is I want to route everything through tor but then route that through my VPN. I mean, I’m asking in terms of having maximum anonymity while using Tor. I want to have plausible deniability but I don’t want to limit my tor usage to the browser. Let’s pretend I’m an activist or something. Let’s pretend it’s an extreme case. Except I don’t always need to use Tor but in some cases I use it. But when I do, again, I want plausible deniability with it and want to hide the fact that I’m routing everything through Tor from my ISP.

I’ll be honest, you don’t need to use these tools to route everything to Tor. If your threat model involves hiding the fact you are using Tor or routing everything through it, please use a dedicated OS (Whonix VM, Qubes-whonix) with a Tor bridge or VPN installed on the host system. You can also use bridges with Tails as well if anti-forensics is more your alley.

What if I’m asking for an online friend, who is an activist in China, who is doxxing the government? Or maybe he/she is a whistleblower who is doing this and is using TraceLabs VM to do the doxxing. Just in a hypothetical scenario.

Your hypothetical friend should probably not put their life in the hands of advice given on a public forum!

I’m not sure what exactly a whistleblower would be doxxing people for, but the advice to them is going to be very similar. Use Tails and upload the relevant whistleblowing documents using SecureDrop. News outlets often provide instructions on how to upload to their instance (ie, The Washington Post), and SecureDrop also provides a list of active instances.