I think the Tor Overview addresses everything you mentioned so I’ll just quote the most relevant sections. I’m still leaving out some info for brevity so you’re better off reading the article in full:
Connecting directly to Tor will make your connection stand out to any local network administrators or your ISP. Detecting and correlating this traffic has been done in the past by network administrators to identify and deanonymize specific Tor users on their network. On the other hand, connecting to a VPN is almost always less suspicious, because commercial VPN providers are used by everyday consumers for a variety of mundane tasks like bypassing geo-restrictions, even in countries with heavy internet restrictions.
If you still believe that pluggable transports (bridges) provide additional protection against website traffic fingerprinting that a VPN does not, you always have the option to use a bridge and a VPN in conjunction.
Tor usage is not undetectable
Even if you use bridges and pluggable transports, the Tor Project doesn’t provide any tools to hide the fact that you are using Tor from your ISP. Even using obfuscated “pluggable transports” or non-public bridges do not hide the fact that you are using a private communications channel. The most popular pluggable transports like obfs4 (which obfuscates your traffic to “look like nothing”) and meek (which uses domain fronting to camouflage your traffic) can be detected with fairly standard traffic analysis techniques. Snowflake has similar issues, and can be easily detected before a Tor connection is even established.
It is critical to understand the difference between bypassing censorship and evading detection. It is easier to accomplish the former because of the many real-world limitations on what network censors can realistically do en masse, but these techniques do not hide the fact that you—specifically you—are using Tor from an interested party monitoring your network.
Protections provided by bridges
Tor bridges are commonly touted as an alternative method to hiding Tor usage from an ISP, instead of a VPN (as we suggest using if possible). Something to consider is that while bridges may provide adequate censorship circumvention, this is only a transient benefit. They do not adequately protect you from your ISP discovering you connected to Tor in the past with historical traffic log analysis.
It is possible that the WebTunnel pluggable transport currently being trialed may mitigate some of these concerns. We will continue to keep an eye on that technology as it develops.
If you have the ability to access a trusted VPN provider and any of the following are true, you almost certainly should connect to Tor through a VPN:
- You already use a trusted VPN provider
- Your threat model includes an adversary which is capable of extracting information from your ISP
- Your threat model includes your ISP itself as an adversary
- Your threat model includes local network administrators before your ISP as an adversary
Therefore, you should make an effort to hide your IP address before connecting to the Tor network. You can do this by simply connecting to a VPN (through a client installed on your computer) and then accessing Tor as normal (e.g., through Tor Browser). This creates a connection chain like so:
- You → VPN → Tor → Internet
From your ISP’s perspective, it looks like you’re accessing a VPN normally (with the associated cover that provides you). From your VPN’s perspective, they can see that you are connecting to the Tor network, but nothing about what websites you’re accessing. From Tor’s perspective, you’re connecting normally, but in the unlikely event of some sort of Tor network compromise, only your VPN’s IP would be exposed, and your VPN would additionally have to be compromised to deanonymize you.
The article doesn’t explicitly say so but the claim that a VPN server acts as a permanent guard node doesn’t make any intuitive sense. Assuming you don’t trust your own ISP or network, a more trusted VPN provider doesn’t add any additional risk. It can only help.