Home » Articles » TOR & VPN: A Necessary Couple
Click Here To Hide Tor

TOR & VPN: A Necessary Couple

There was a time when folks felt beyond anonymous using TOR on its own; but it seems a crazy idea today and I can tell you from experience, that using TOR without VPN gives one a feeling of nakedness. Looking further back there were good old days when mass monitoring felt more like a dystopian novel than government policy. People felt safe doing pretty much whatever on the web, BBS, IRC and even through their ISP provided email addresses before the days of widespread web mail. In the 80s and 90s ISPs were able to keep customer records and data to themselves unless subpoenaed (and even then I’m sure it was a rarity); search engine giants were not collecting mass marketing data or participating in huge man-in-the-middle attacks perpetrated by government spies; in fact it’s quite unlikely that LEA and Intelligence agencies monitored or pursued much online. The opportunity to commit crime or secretive activity would have been limited or not yet considered. It was not long ago that the internet was a novelty, hobby and just a great place to gain access to large amounts of information (often for learning education). In the early days of popular internet usage there were constant discussions on what qualified as a “crime” online. For quite some time there were little or no laws to govern many online activities. Today, we don’t “go online” or “dial in” like we used to – we are online; always. From home to work and back; and everything in between we possess a certain degree of an online presence every hour of the day; whether it be through social media, email, GPS tracking, or SMS (texting). As a part of basic human evolution it’s not surprising that people began discovering and exploiting ways to leverage computer networks for personal gain or pleasure, whether legal or illegal.

With that said you don’t need a secretive reason to yearn for that anonymity of the old days. I know people who have never even smoked a cigarette or drank a beer, who feel the need for VPN –it’s normal. This week a good friend was asking me about TOR and VPN so that he could set up a hidden service on his home network; not because he has anything to hide, but because he knows the minute he stands up that public service, many eyes and sticky fingers will be on it. I recently stood up a newly built home Linux server on the internet to provide myself access to my files while away and at work. Within a few minutes I had been scanned hundreds of times and a barrage of brute force had begun in an attempt to authenticate to my FTP and SSH services. Luckily I had the gear and skills to identify this and it’s quite likely they would have had trouble cracking my huge password, but I still felt better changing to non-standard ports, blocking icmp traffic and creating a certificate to be able to authenticate properly. This is the same thing as IP anonymity. For the most part, I am probably anonymous on TOR and on top of that I likely have nothing to worry about adding VPN to the mix, but yet I still feel the need to take every precaution. I also like to stay up-to-date on the latest application, DNS, etc. exploits. Today I would like to share some of those habits. You may be doing all of these and even more or you might learn one or two new things, or perhaps it will all be news to you. Whichever the case I’m doing this to amalgamate as many safe practices as I can into one location.

Let’s start with TOR and some critical ‘rules’ you should always force yourself to follow. First, if you’re like me and want to avoid the ‘guilty by association’ accusation you might not want people to know that you have or even use TOR. It’s quite common to use today, but some undereducated people hear TOR and immediately think you’re buying/selling drugs and weapons or spreading snuff films. It’s understandable if you’d just rather avoid that conversation with people. If you’re not going to be super paranoid and use a separate computer or OS (or VM) to run TOR, you can still keep it from Prying eyes by running Tails (a live TOR-bas Linux distro) on CD/DVD or USB. Running a whole distro can be time-consuming and sometimes inconvenient with things like wireless NIC driver woes, or problems with persistence. If you would rather avoid all that, then look at installing just the TOR application on a USB drive. This way it can disappear from your machine when needed and all updates, temp files etc should write to the USB stick. You can do this easily by choosing a USB drive as your installation path when running the TOR installer. If you like to be extra careful and don’t want the contents of the USB to be viewable, use an encryption program to create an encrypted volume and install TOR in that. This works fine as I have done it myself. Without the encryption/decryption software on their PC, nosey snoops will see what looks like a USB drive with no formatting (blank). From a network point of view you can also hide your TOR usage from your ISP or anyone else monitoring online. Since TOR is banned in some oppressive countries, this makes it that much more important for freedom of speech, whistleblowers, and those suffering political oppression. Since ISPs or government routers will block access to known TOR nodes, it was necessary to set up TOR bridges and relays to allow these people access, since the oppressive routers won’t identify the session establishing to any public TOR node. Anyone around the world can volunteer to run a TOR bridge and provide this access. That doesn’t mean that bridges/relays are only available to people with blocked connections. Perhaps you just don’t think that your ISP has any business knowing that you connect to TOR? Although, if you are using TOR with VPN this won’t matter much anyway, however it still provides an additional hurdle in tracking who’s doing what, so it’ not a bad idea. To make use of TOR relays you can simply send a properly formatted email to some nice folks who will respond with a relay, at which time you will configure this in your TOR settings. When TOR launches, open settings and answer “yes” to the question concerning blocking/sensoring (FIGURE A);and then a custom bridge or bridges can be configured in the blank box (FIGURE B). You can request a new relay periodically to keep them confused and guessing. For additional information on TOR bridges/relays, please refer to their Tor: Bridges support page.

FIGURE A

1

FIGURE B

2

It used to be that you were tracked down online by being sloppy and hacking (or whetever) using your own IP thinking no one would be smart enough to catch on; or you may have used a series of jump off points around the globe in an attempt to hide your tracks. The problem with this method is that it didn’t really hide any tracks; it simply added a few additional hops to the traffic’s original source; so anyone with network security or forensic knowledge would know how to follow the trail back to its origin. TOR aimed to alleviate this cat and mouse game which would inevitably always end with the cat picking it’s teeth using a rib from the mouse skeleton. The new game is ‘how can I exploit your applications’. Once TOR and VPN managed to successfully hide IP addresses hackers and spies had to reinvent the wheel as well and find a sneakier way in. The next section will highlight items which exist because of the new exploit game.

It’s important to remember that TOR has been built with your safety in mind and as a result they have included some very useful tips and features, which will save you from additional effort. TOR offers so much, yet asks so little from its users; however if the TOR community makes a suggestion, you follow it. They are nice enough to provide little pop up notifications to save you all of that hard effort to check in on their website every now and then. If they have taken the time to program a notification into the browser then it’s best to consider the suggestion crucial. The easiest and possibly the most important task you can complete: keep your TOR browser up-to-date. Like many applications, you will be automatically notified and prompted to update when a new package is available. You can consider these updates more important than Windows security patches as they generally address found exploits or vulnerabilities, which put your anonymity at risk. So if you launch the browser and receive the update notification, don’t even think “oh I will go do what I need to do and update it when I’m done”. You should stop everything you’re doing and update and install the new bundle immediately before using TOR for anything. Similarly TOR has also pushed out warnings not to resize your window because resizing can provide a potential vulnerability to nosey hackers or spies. I agree that the default window size is a bit annoying, but you can be sure this risk is very real if they have taken the time to program it right into the browser permanently.

As I mentioned above application exploitation is the name of the game. LEA and intelligence are now taking a page from the book of hackers and using software exploits and zero day exploits to identify users. The reason they recommend not to resize your window is because they had identified that you will produce a fingerprint to go along with a resolution leak which could be exploited and used to uniquely identify across TOR exit nodes as discussed on Reddit and through numerous TOR Tickets (multiple identified in this ticket). Similar to this it has been found time and time again that scripts like Java, can be leveraged to identify a user. To my knowledge TOR still comes with Scripts globally enabled and unless that has changed recently you will want to globally disable scripts before doing anything. FIGURE C demonstrates a popup warning if you try to globally enable scripts; so if you haven’t already you should disable them globally (FIGURE D) and enable on a site basis if you feel that you trust a site enough to enable scripts temporarily (FIGURE E). Just because you know and use a site often, does not mean that it’s safe to enable scripts. It’s exactly this sort of trust the hackers and spies are looking to exploit.

FIGURE C

3

FIGURE D

4

FIGURE E

5

As TOR grows and evolves the developers add many additional safety measures, however there is one other important feature I would like to mention. At any time while browsing in TOR you can click the green onion in the upper left hand corner and choose “New Identity” which will sever all sessions and choose a new circuit and nodes for your TOR connection, so if you want to keep them guessing, do this at very short and regular intervals. This means that your traffic will be constantly be switching paths and would be very hard to track and record. Be warned that you will lose any open tabs, links, etc. If you wish to retain your open sessions, but are worried about opening a new link on the same circuit, you can choose “New Tor Circuit For This Site” and it should only use a new circuit with the current window/tab (see FIGURE F for both options).

FIGURE F

6

Most of my safety recommendations for TOR/VPN are directly controlled through TOR, however there are still a few general guidelines and tips that can make your VPN usage more secure. Find a VPN provider that protects against DNS Leakage. A a good provider will have their own DNS servers for you to use so that you are not performing name resolution using DNS belonging to your ISP, Google or someone else undesirable. DNS Leak occurs when your OS continues to use the default DNS servers that you would use normally when not using DNS. This means that although your IP is hidden using a VPN service, your PC is still using the normal method to resolve DNS names and IPs. This means that the owner of the DNS could see every site you are looking up, which renders your VPN virtually pointless. Make sure you choose a provider that addresses this issue. Many VPN providers have a script which will physically change your DNS servers on your PC’s NIC and will use them the minute you log on or it might set your NIC to always use these servers (whether one VPN or not). Just like a hosts file, your PCs DNS will override anything on your router, etc. You can find many DNS Leak tests in Google and some VPN providers even host their own DNS Leak protection test like TorGuard’s DNS Leak Test.

I have said it a thousand times before, but do your research when choosing a VPN provider. You want to be sure that you don’t pick someone who is buddy buddy with governments, spy agencies or LEA. Be certain they do not track and/or retain records or which user(s) and/or IPs accessed the service at what time. You want a provider that does not keep these records; that way if they are subpoenaed to provide records they will honestly have nothing to give. Don’t choose a provider based in US, UK, Canada or any other coalition country for that matter. Try to find a provider based in a country not heavily influenced by the major powers; that way they won’t care about appeasing the evil empire, whichever one it is. You can find some phenomenal VPN reviews, comparisons and other valuable information on Deepdotweb.com in their VPN Comparison Chart.

Unless you’re a network engineer or programmers I will say there’s no major secret to you using TOR and VPN together. The fact that you are using both simultaneously means that you have made it increasingly difficult for someone to identify you. The ‘secret’ is to remain smart and observant to maintain anonymity. I always say if you insist on using your everyday computer with TOR and VPN that you should shut down any applications which identify you by account or otherwise. This can include anything from dropbox to Steam (gaming platform) to widgets to the lovely new Windows 10 security settings. If you’re combing TOR and VPN and someone is trying to track you, they are not going to attempt to ‘break down the vault door’ so to speak; that is to say they are not going to scratch their head trying to figure out how to crack these things. No, they are going to look for other means to identify you; open programs which can be exploited via Java, or DNS leak, etc. It’s similar to hackers nowadays. A hacker is much more likely to infiltrate a network using social engineer than they are by breaking in through the firewall, so always be thinking about how you can improve your security and minimize your exposure. You can many small things to help yourself; do your VPN servers double as SOCK 5 PROXY addresses? Well use them. Could you be encrypting all of your email using PGP and then using an already encrypted email service like Protonmail on top of that? Why not do it then? Intelligence Agencies and spies feel they have the right to spy on every citizen whether they deserve it or not, so it’s our right, and our mandate to protect ourselves and fight back with everything we can. Just say NO to Big Brother!

7

24 comments

  1. VPN -> Tor => GO TO JAIL

    I can’t stress this enough… VPN’s are for privacy NOT ANONYMITY, Tor is for anonymity NOT PROVIACY. Don’t mix the two. If you’re going to sacrifice anonymity for pseudonymity, then ALWAYS do TOR before VPN.

    Whoever wrote this article, please kindly, go fuck yourself.

    • I agree although I’m happy to be proven wrong. I was always of the opinion that using a VPN and then connecting to Tor only provded a link between you and your exit node – obviously not a good thing if you’re trying to stay out of jail.

      Has this conventional wisdom changed for some reason?

      • Forrest Hump

        The vpn prevents your isp seeing you use tor.

        Vpn service provider only sees you connect to a tor bridge or entry relay, and not the exit node. Plus they won’t see anything what you do while browsing .onion sites because encryption.

    • barmaglot_by_tot

      VPN->TOR == goto Jail ?
      I think that adversary will have to penetrate TOR first(which is not an easy task) and then he/she will need to deal with all that legal hassle which includes subpoenaing VPN, which can sometimes be troublesome and last for years(consider US LEA trying to get data from Venezuela’s or Cuba’s VPN)
      Please explain the reason why you think that this scheme will result in jail

      • Because they won’t need to break tor to find you. If you are constantly entering the tor network from a specific VPN server/provider then your traffic can be correlated.

    • The author of this article is clearly a very experienced autist with a fine case of verbal diarrhea, but 5,000 words of derp are easily eclipsed by Chris Becker’s comment.

      The statement is strongly worded, but utterly devoid of any backing to the conclusions. Tor and VPN both provide anonymity (to a degree) and privacy (to a degree).

      If you run a VPN you thwart men in the middle from your location to your provider. If it’s international that’s a big barrier for any investigator. If you run Tor you are well hidden, assuming both you and the sites you visit aren’t compromised. If you run a VPN and then run Tor, if Tor breaks, the trail dead ends at the VPN endpoint.

      That’s a gross simplification of the calculus involved, but the author and Becker both look like simpletons from where I sit.

  2. This entire article is just wrong, the Tor website warns its not a good idea to use a vpn with Tor. They explain it as a basic understanding, i keep trying to figure out why this sight and others, seem obsessed with this practice?

  3. Folks, you need to use anonymous Wi-Fi public access points with Tor bridges. Create a TrueCrypt (verify the program and its hashes from at least three sources) with at least a 25 character passphrase (Upper & lower letters, numbers, and at least one punctuation character and one special character atop your keyboard) AND at least two keyfiles! Use Tails and open your TrueCrypt container using the instructions on their website. Spoof your MAC address and then connect to your favorite anonymous Wi-Fi spot, whether it be McDonald’s or your local laundry mat, but vary those on occasion, also! Keep a low online DeepWeb profile and don’t dox yourselves!! Make sure your physical surroundings are absolutely secure, keep your screen covered (say, by using a polarized screen filter), and don’t doddle while online! Get in and then get out!!

    But, yes, I agree, skip the VPNs! Tor with bridges and anonymous access points will be sufficient. TLAs/LE have a quota to meet, and they are not going to spend a $1 million bucks on catching you!

  4. TOR, VPN, Encryption.
    It all seems a bit excessive for basic people who are just reading DeepDotWeb articles. My guess is that many of the people on this website wish they had interesting enough lives to merit being tracked and hunted by some government agency. More likely, however, we’re all going to live out normal, boring, safe lives.

  5. https://www.privacytools.io

    I have found this to be an excellent source of information and guidance.

    Among other things is does elude to the fact that Local, State and Federal Law Enforcement Agencies CAN and do get warrants to compromise the SSL keys of VPN providers for your browsing histories.

    The extra layer of security or deterrents doesn’t hurt. I’m no engineer but I watch cat videos. AND THAT’s NO ONES BUSINESS! Unless I choose to share it.

    Signed,
    Prrrrrrrudence

  6. What about VPN+RDP+VPN+TOR ?

    lol.

  7. I am a certified network engineer.

    1 never use use a vpn.

    2 always use tails without java script enabled.

    3 always use an open WiFi adapter (the alfa nha for example) to connect (my company track suspects via wireless credentials)

    4 always physically remove battery after use.

    5 always use a bridge.

    5 never use a vpn, did I mention that strongly enough?

    6 proton mail can’t be used with enigmail or other mechanisms. It’s either proton mail and trust them or thunderbird+enigmail.

    • raz

      can you explain why VPN before TOR isnt good?

      VPN is for privacy, TOR anonymity, ok.. cant we have both?

      So how i understand it, if i connect to a VPN, and after TOR, if exit and entry points are compromised and LE does get through it gets the IP from the VPN right? If you didnt have the VPN it would get your IP right away? Or am i misunderstanding something?

      Thanks

  8. Do not use a VPN! If you want to stick a massive bulb outside of your front door, then please use a VPN whilst using TOR. You’ll create an identifiable IP address that will be fixed to your VPN access point and time, then when the feds turn up to your VPN provider and give them the option of jail or your IP, then guess what happens.

    If you want privacy with anonimity, then use TAILS. It’s the safest way to maintain no virtual and physical history of your actions.

    • And when the contract with the VPN clearly states that the do not log then sue the VPN for false advertising to pay for your court costs. Wasn’t a VPN just the other day proven that the do not log, something to do with them not being able to give the IP to the feds.

    • How about this, the 85 percent of the total web that IS the Deep Web has millions and millions of users. 4 times more than the conventional web. How about we all use VPN and nobody knows nothin. Use Tor alone and your IP WILL for sure and certain log your Tor usage. Use vpn and go wherever you want. I have a freakin Internet genius I know who recommends using vpn And Tails, go figure.

    • DUKE OF SAND & WITCHES

      I believe the idea would be that your ISP sees your on TOR, but can’t see the traffic (encrypted). Then using TOR to connect to the VPN, the VPN knows that some random IP is connecting to their network, but they don’t know where it originated from. Then the VPN ID (IP address) is chosen, so that IPA is linked to the activity, but the VPN would see all the TOR user’s activity, however, doesn’t know the true ID of the TOR user.

      Summary (TL:DR):

      You –> TOR (ISP sees you) –> VPN (VPN sees TOR, ISP sees encrypted info) –> Internet surfing (VPN sees data transmitted to the TOR user, ISP sees encrypted info).

      But I’m not entirely sure this is accurate or if the VPN site/host would allow a TOR exit node to log into their VPN

  9. interesting comments to this rather long article. I don’t use VPN nor intend of doing so. But is VPN really that bad? Sounds weird

  10. Hi, I just want to warn TOR users that DNS Leak Tests seems to trigger Tor relays switching multiple times and thereby anyone who have possibilities to survey the internet/Tor-relays can triangulate your entry relay location, and perhaps even worse all the way to your home.

    It came to my attention while testing several internet online browser tests that in particular the DNS leak tests makes the Tor relay switching going wild.

    Check for your self on these two sites:
    https://www.browserleaks.com/whois
    http://dnsleak.com/

    While loading these pages, quickly click on the green onion button in your browser and hover over it for a while and WATCH CAREFULLY how the middle and exit relays switches several times.
    Browserleaks page usually switches around 3 times, dnsleak switches up to 6 times.

    I posted about this grave behavior on https://blog.torproject.org/blog
    but the Tor moderators never passed this particular issue get posted, which to me indicates the Tor team knows it’s something fishy about the DNS leak thingy.

  11. sigh… once again the f**king armchair nerds saying vpns will sell you out.

    this has been put to the test for a few vpns who didn’t back down and held their own. how can you hand over something you dont have? Most vpns dont even bother responding.

    in answer to the article, use multiple vpns, keep mixing it up, hack your wifi and use disposable prepaid internet, use proxies,rdps and vm’s… all the time, keep changing and mixing it up when using Tor etc.

    3 top concerns are malicious nodes, dns leakage and javascript vulnerabilities embedded within the Tor bundle.

  12. Not 100% agree with you.

  13. If your using a public wifi, ok I can see the point of not attaching a vpn because that adds a risk of identifying you. assuming your not on public wifi, your isp already directly identifies you. in this case, the vpn either protects you (if it doesn’t sell you out) or doesn’t harm you (if it does), becuase your isp already knows who you are. this is all assuming that your use of tor was compromised

  14. This might be a dumb question but I want to see what people say.
    My VPN is on my laptop. Tor is on my USB.
    Steps I connect to VPN. Then insert USB and connect to TOR.

    My questions are.
    1. Is this AS strong as or weaker than having Tor and VPN both on laptop.
    2. Is it stronger at all or did I just break the chain?
    3. Which is the best setup? Together or separate?

    My thoughts are – Am I somehow not protected via the VPN because it isn’t on the same thing as Tor is running off of and because Tor is running off of a USB, is it bypassing the VPN altogether and I am not protected at all.

    Sorry if it seems like a dumb question but I am curious. Please be nice. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *