I’ve seen on several privacy-focused subreddits that using Tor over a VPN should be avoided. Reasons cited include:
VPNs do not contribute to anonymity, so combining them with Tor offers no additional benefit
VPN usage is easily detectable, whereas bridges are harder to trace. If circumventing censorship is criminalized and carries arrest risk, bridges should be used
Using a VPN makes that VPN server function as a semi-permanent guard node. Any VPN service could suddenly become untrustworthy one day, potentially compromising Tor’s anonymity. Again, you should use a bridge.
Recently, more opinions have emerged either refuting these points or considering them minor issues. One example is this PG article.
However, most arguments cite the Tor Project’s TorPlusVPN article. Why do opposing conclusions emerge about whether VPN or Bridge is more suitable, even when citing the same article?
Also, while VPNs and Bridges differ in speed and protocols, what are their functional differences in terms of use cases?
It doesn’t hurt either. So, using it is not going to negatively impact you. Might as well then.
Obfuscation options have been developed by the likes of Mullvad. Some connections are not and cannot easily be detected anymore. So, I don’t think this argument applies either. Also, so what if VPNs are detected, the issue you’re describing in this point is only valid in select countries (Russia, China) and being in those countries carry a much higher threat model anyway so Tor should always be used if not Mullvad with their obfuscation options.
Again, not an issue if a trustworthy VPN is used.
–
I don’t know where you’ve been getting your info and while it is not inaccurate in full, it does not (most people don’t) take into account using the right tools for the right purpose and use case. The info shared elsewhere is always generalized and do not mention or explain the particulars and exceptions.
Also, some of the info you may be reading on reddit and elsewhere are quite old and no longer apply even if they once did.
You can use VPN + Tor if you choose the right VPN.
I will let someone else answer this particular question:
OP posits the possibility that a trustworthy VPN could suddenly become untrustworthy one day. This is begging the question.
If the VPN or the Bridge becomes untrustworthy, its capacity for harm would be no different than your ISP’s capacity for harm.
In the scenario where a person wants to use a VPN or a Bridge to connect to Tor and bypass a censorship of Tor, there is no difference in functionality for this purpose.
I don’t really agree with the argument that a VPN acts as a semi-permanent guard node, because there is still a separate rotating guard node in use. In a VPN → Tor scenario, the VPN replaces your ISP. If you trust your ISP more than any VPN provider, sure it might not be worth it, but otherwise I don’t see how it could possibly hurt. At minimum it prevents your ISP from easily identifying you as a Tor user without needing to take up limited bridge bandwidth if you don’t actually need it.
Because that article actually says both things in it lol
I can see why people would just want to say “never use a VPN,” because it is easier and because people do like to overcomplicate their setups unnecessarily, which should be discouraged. However I also think our article is accurate and “better” advice for people who can actually follow our instructions, and won’t try and take it further with nonsense like multiple VPNs or VPNs after Tor, etc., for basically the reason @lyricism just said.
I think the Tor Overview addresses everything you mentioned so I’ll just quote the most relevant sections. I’m still leaving out some info for brevity so you’re better off reading the article in full:
Connecting directly to Tor will make your connection stand out to any local network administrators or your ISP. Detecting and correlating this traffic has been done in the past by network administrators to identify and deanonymize specific Tor users on their network. On the other hand, connecting to a VPN is almost always less suspicious, because commercial VPN providers are used by everyday consumers for a variety of mundane tasks like bypassing geo-restrictions, even in countries with heavy internet restrictions.
If you still believe that pluggable transports (bridges) provide additional protection against website traffic fingerprinting that a VPN does not, you always have the option to use a bridge and a VPN in conjunction.
Tor usage is not undetectable
Even if you use bridges and pluggable transports, the Tor Project doesn’t provide any tools to hide the fact that you are using Tor from your ISP. Even using obfuscated “pluggable transports” or non-public bridges do not hide the fact that you are using a private communications channel. The most popular pluggable transports like obfs4 (which obfuscates your traffic to “look like nothing”) and meek (which uses domain fronting to camouflage your traffic) can be detected with fairly standard traffic analysis techniques. Snowflake has similar issues, and can be easily detectedbefore a Tor connection is even established.
It is critical to understand the difference between bypassing censorship and evading detection. It is easier to accomplish the former because of the many real-world limitations on what network censors can realistically do en masse, but these techniques do not hide the fact that you—specifically you—are using Tor from an interested party monitoring your network.
Protections provided by bridges
Tor bridges are commonly touted as an alternative method to hiding Tor usage from an ISP, instead of a VPN (as we suggest using if possible). Something to consider is that while bridges may provide adequate censorship circumvention, this is only a transient benefit. They do not adequately protect you from your ISP discovering you connected to Tor in the past with historical traffic log analysis.
It is possible that the WebTunnel pluggable transport currently being trialed may mitigate some of these concerns. We will continue to keep an eye on that technology as it develops.
If you have the ability to access a trusted VPN provider and any of the following are true, you almost certainly should connect to Tor through a VPN:
Your threat model includes an adversary which is capable of extracting information from your ISP
Your threat model includes your ISP itself as an adversary
Your threat model includes local network administrators before your ISP as an adversary
Therefore, you should make an effort to hide your IP address before connecting to the Tor network. You can do this by simply connecting to a VPN (through a client installed on your computer) and then accessing Tor as normal (e.g., through Tor Browser). This creates a connection chain like so:
You → VPN → Tor → Internet
From your ISP’s perspective, it looks like you’re accessing a VPN normally (with the associated cover that provides you). From your VPN’s perspective, they can see that you are connecting to the Tor network, but nothing about what websites you’re accessing. From Tor’s perspective, you’re connecting normally, but in the unlikely event of some sort of Tor network compromise, only your VPN’s IP would be exposed, and your VPN would additionally have to be compromised to deanonymize you.
The article doesn’t explicitly say so but the claim that a VPN server acts as a permanent guard node doesn’t make any intuitive sense. Assuming you don’t trust your own ISP or network, a more trusted VPN provider doesn’t add any additional risk. It can only help.