00:01 Time for my hot take of the month: Should you use a VPN before connecting

1. 00:01 Time for my hot take of the month: Should you use a VPN before connecting to Tor? Probably yes, actually! A Privacy Guides community member recently shared a video with me from Mental Outlaw titled “Stop Using Tor With VPNs”, and serendipitously, I happened to be looking into this exact topic at the time for a big rewrite of our Tor-related recommendations at Privacy Guides.org.
2.  
3. 00:23 Mental Outlaw is a pretty big name in the Privacy YouTubers space, and he makes some decent points in his video, but I think he misses some important nuance when it comes to who needs to be using Tor safely and where they’re doing so, and draws the wrong conclusion about the topic as a whole. So, I want to present my counter-argument to his claims, and then present more information about why using a VPN before connecting to Tor is a better idea than many seem to believe.
4.  
5. 00:47 This is not an attack on Mental Outlaw’s character or his other content, which I haven’t watched, and I of course don’t believe his video was published with malicious intent, I just don’t think he adequately addressed the topic here. Before we get started, my channel’s still a bit new here so I’ll share a little about myself.
6.  
7. 00:52 I’m the founder and a team contributor to privacyguides.org, an open-source collaborative resource on privacy and security, and an online community where people can share advice and learn more about privacy-related concepts. The content I’ll be presenting in this video today is mainly from my research into this topic as part of a rewrite of a large section of our website about Tor, and I felt this was important to note, because a common criticism you’ll hear when the idea of using a VPN with Tor is being discussed is that many resources on the topic come from people or channels
8.  
9. 01:23 who are closely affiliated with VPN providers themselves. I think it’s a mistake to dismiss arguments you see online solely based on the affiliation of the authors rather than the content of their argument, but regardless of that I want to make it clear that I and Privacy Guides are not and have never been affiliated with any VPN providers.
10.  
11. 01:42 Or with any of the providers, tools, and services we recommend on our website for that matter. Privacy Guides is a non-profit, volunteer-driven organization that operates on an evidence-based, transparency-focused approach, and we’d never have a vested interest in recommending one service over another outside of a genuine belief that such a service is better for your privacy and security.
12.  
13. 02:01 With that out of the way, it is still our shared opinion that using a VPN is an important part of improving your privacy and security posture online, and that doesn’t change when you use Tor. I’ll get into more about all that later on. The first misconception I see a lot, including in Mental Outlaw’s video, is that Tor never recommends the use of a VPN or anything other than Tor and Tor bridges.
14.  
15. 02:25 The reality is that Tor Project themselves do acknowledge the benefits of using a VPN to stand out less on your network. There are probably two reasons Tor doesn’t proactively recommend such a solution, it makes their current advice much simpler, and in an ideal world there wouldn’t be an issue with just using Tor, and Tor wouldn’t be seen as a suspicious network, so of course Tor would like to advocate for such a solution.
16.  
17. 02:49 These things don’t change the fact that today, right now in the real world, using a VPN with Tor provides legitimate advantages that using Tor alone does not, and I think those advantages are worth discussing. The other factor here is that even if the benefits of using a VPN before Tor are negated, you’ll virtually never be worse off with a VPN+Tor configuration like I’m suggesting here.
18.  
19. 03:13 At worst you’ll merely be “back to square 1” and still benefitting from the other protections that Tor provides. I’ll get into more about why this is the case later on. The second misconception, or wrong assumption Mental Outlaw makes in his video, is that there are very few scenarios in which people might need to hide their Tor usage from their ISP, he calls out two such cases: people who are criminals, and people in countries which block Tor.
20.  
21. 03:39 Ignoring the fact that these two scenarios are very common among vulnerable populations like political activists and journalists around the world, I believe that there are plenty of other real world situations where you’d want to hide your Tor usage from your ISP or network administrator, which are not government-related at all! Consider the fact that Harvard network administrators were able to deanonymize a Tor user based on his traffic metadata on the University’s network.
22.  
23. 04:06 Yes, this was a criminal case, but the fact that this occurred in the first place should demonstrate to you that a network administrator or your ISP can pose the same exact threat in any scenario! If Harvard can use this data to assist the FBI, you bet they (and anyone else with network access) can also do it for whatever reason they’d like! Imagine a whistleblower connecting to Tor on their employer’s network to post something about the company they work for, for example.
24.  
25. 04:27 A lot of online literature about Tor tends to suggest that merely connecting to Tor makes you completely anonymous, but of course this isn’t the case in reality. The fact that your Tor use is observable by your local network poses a real risk to many people. — Let’s take an aside here and talk about criminals for a second.
26.  
27. 04:44 When talking about privacy and security, we tend to reference a lot of criminal news stories and court cases in our research. I want to explain why this is the case and why you shouldn’t misconstrue this advice and privacy advice in general as being geared towards defending criminals. First off, it’s simply more newsworthy when criminals fail at privacy, and court cases are well-documented, so there are simply more real-world examples to point to when explaining privacy failures.
28.  
29. 05:13 This does not mean that criminals are the only people who need stronger privacy protections, it’s just that when the average person’s privacy protections are broken the impact isn’t necessarily shared with the rest of the world. It does not mean that the impact in non-criminal real-world situations doesn’t exist.
30.  
31. 05:30 Secondly, what’s lawful in one country can be criminal in another, and there are a lot of gray areas where it is almost certainly morally acceptable and even encouraged to break some laws in especially repressive countries, so the knowledge on how to do so is still fairly important on a societal level. So basically despite all this theoretical talk about “evading law enforcement,” this advice isn’t intended for actual criminals to evade law enforcement.
32.  
33. 05:56 I want you to use these examples and think about ways in which they might apply to your regular, every-day life, and I think you’ll find that it’s more common than you’d think. Back to the video! — I’ll cover the points he does make about those two scenarios first though. When it comes to evading censorship we’re in agreement.
34.  
35. 06:16 Using a VPN with Tor is not censorship circumvention advice for people in countries which block VPNs as well. The reason I do generally recommend using a VPN before Tor is to make your traffic blend in better with commonplace VPN user traffic, and provide you with some level of plausible deniability by obscuring the fact that you’re connecting to Tor from your ISP.
36.  
37. 06:38 Connecting to a VPN is almost always less suspicious, because commercial VPN providers are used by everyday consumers for a variety of mundane tasks like bypassing geo-restrictions, even in countries with heavy internet restrictions. However, I do want to make an important distinction between blocking Tor bridges, and identifying Tor bridges here, because Mental Outlaw at least implies that if you are able to find a bridge which is not blocked, your connection will be safe.
38.  
39. 07:07 In reality, there is a danger this could pose to you if the fact that you’re using Tor is discovered in the future poses a risk within your threat model. Let me explain: Bridges are fairly decent at circumventing censorship, because they are unpublished and make efforts to obfuscate the fact that they are indeed Tor bridges.
40.  
41. 07:27 However, these are only transient protections because Tor bridges are virtually always eventually identified and blocked. This fact is very bad for people who want to hide past Tor usage from their ISP, which is almost certainly logging basic metadata like IP addresses and connection times indefinitely.
42.  
43. 07:47 Let me give you two examples: Number 1: You connect to Tor via a bridge, and your ISP doesn’t detect it because they are not doing sophisticated analysis of your traffic, so things are working as intended. 4 months go by, and the IP of your bridge has been made public (as they almost inevitably are). Your ISP wants to identify Tor users 4 months ago, and with their limited logging they can see that you connected to an IP address which was later revealed to be a Tor bridge.
44.  
45. 08:27 You have virtually no excuse to be making such a connection, so the ISP can say with very high confidence that you were a Tor user at that time. Number 2: You connect to Tor via a VPN, and this works fine. 4 months later your ISP again wants to identify Tor users 4 months ago. Their logs almost certainly can identify your traffic 4 months ago, but all they would likely be able to see is that you connected to a VPN’s IP address.
46.  
47. 08:59 Because your ISP almost certainly is not capturing all packet-level data and storing it forever, they have no way of performing advanced traffic analysis techniques after the fact to determine what you connected to with that VPN, and you could have plausible deniability. Therefore, bridges are only good at circumventing censorship in the moment, but not from hiding Tor usage in historical network analysis.
48.  
49. 09:24 Of course, this doesn’t protect you if they perform advanced traffic analysis in real time and are able to determine what you are doing with your VPN through some fingerprinting tactic, as Mental Outlaw does mention in his video as well. And this is not advice against using Tor bridges, you should just be aware of this limitation.
50.  
51. 09:45 In some cases bridges may be your only option (if all VPN providers are blocked, for instance), so you can still use them in those circumstances with this limitation in mind. The other thing you can do if very advanced traffic fingerprinting is a concern is use a VPN in conjunction with an obfuscating Tor bridge, that way you are still protected by the pluggable transport's obfuscation techniques even if an adversary gains some level of visibility into your VPN tunnel.
52.  
53. 10:15 I’ll talk more about this later in the video. The last thing I’ll point out in regard to this scenario is that in the real world, there actually are plenty of real-world network censors who do block Tor and don’t block VPNs, so it’s not like a circumstance where a VPN is a valid censorship circumvention technique is inconceivable.
54.  
55. 10:33 I would still suggest that people try to use a reputable VPN to bypass censorship, and explore other options if that isn’t feasible on your specific network. — Alright, now let’s respond to his arguments regarding criminals. Of course we can both agree that opsec failures are much more likely to be the reason criminals get caught rather than network analysis, I don’t have much to add there.
56.  
57. 10:55 However, then he makes the argument that using a VPN to connect to Tor is going to make you stand out more on your network, and this is where I disagree. His first claim is that international entities like Interpol are Global Passive Adversaries. He doesn’t use that term exactly, but he describes them as if they are.
58.  
59. 11:16 For context, a “Global Passive Adversary” (GPA) is an entity which can monitor the network traffic of every Tor node, every VPN, and every ISP. There’s no evidence to suggest anybody, including law enforcement agencies like Interpol, have the capability to actually act as global passive adversaries in the real world.
60.  
61. 11:37 Merely having global jurisdiction doesn’t imply that your organization has on-demand global access to every single ISP on Earth, which would be required to perform the analysis he’s suggesting. An investigative agency would have to coordinate with every single ISP on the chain separately, and there are plenty of situations where that would be an impossible task.
62.  
63. 11:58 However, let’s give the benefit of the doubt for a second and look at a scenario where a global passive adversary does exist and you’re worried about defending against them. In that scenario, the facts are very clear: Tor does not protect you, using Tor with a VPN does not protect you, you are not protected against global passive adversaries in any scenario using Tor.
64.  
65. 12:19 This is very clearly defined in Tor’s threat model, and the security of Tor does hinge on the idea that such an adversary does not exist. So whether agencies like Interpol are able to act as global passive adversaries is actually irrelevant to this discussion in the first place. Let’s move on assuming that a global passive adversary doesn’t exist though, and think about how this would work if an international agency like Interpol was conducting an investigation after the fact: The ability for a law enforcement agent to determine that a VPN user connected
66.  
67. 12:54 to Tor (and thus, appear more suspicious according to Mental Outlaw) hinges on either your VPN collecting logs, or the law enforcement agency to already be monitoring traffic from that VPN. In the first case (best-case), this is avoided by virtue of the fact that your VPN provider isn’t collecting logs. Maybe a shady VPN provider will be collecting logs secretly, but I am reasonably confident that the VPN providers we recommend at Privacy Guides are not, and the entire point of using them in the first place is that you trust them to not log more than you trust your ISP
68.  
69. 13:31 to not log. However, for the sake of the argument let’s pretend your VPN provider is secretly logging. Then it becomes the same situation as the second case: In our second, worst-case scenario, the agency already has some sort of in with your VPN provider and is logging all that traffic. That means they can likely see you’re using a VPN to connect to Tor, oh no! However, they could just as likely do this to your regular ISP too if you don’t use a VPN! In this scenario, all this means is that you’re back to square one, and they know you connected
70.  
71. 14:05 to Tor but not what you connected to (because Tor obfuscates this information, of course). So, worst-case scenario you’re in the same place as you were without using a VPN, you’re not worse off than if you had just connected to Tor. Then he claims that connecting to Tor via a VPN will make you stick out like a sore thumb, and that most Tor users connect directly to Tor.
72.  
73. 14:27 However, this hinges on either our worst-case scenario from earlier being true, or the—frankly absurd—idea he poses that they can tell that you’re connecting to Tor via that VPN because they’ve broken the encrypted tunnel and can read your traffic. This scenario is unrealistic, but we can cover some possibilities here: The first way your ISP or network admin may be able to determine you’re connecting to Tor through your encrypted VPN tunnel is through analysis called Traffic Fingerprinting, perhaps the most realistic way to detect Tor usage inside a VPN.
74.  
75. 15:03 This isn’t to say that it’s realistic at all though! Lots of research is done into traffic fingerprinting, and many reputable experts including Tor Project themselves don’t believe that it is a realistic threat in real-world scenarios, because the research on this subject is often conducted in highly controlled, perfect environments that don’t correspond to actual traffic.
76.  
77. 15:25 If you are still concerned about the possibility of traffic fingerprinting methods being used to detect that you’re using Tor through your VPN provider however, you again always have the option to use a VPN in addition to a pluggable transport (bridge) to obfuscate your traffic’s fingerprint further. That way you are still protected by the pluggable transport's obfuscation techniques even if an adversary gains some level of visibility into your VPN tunnel.
78.  
79. 15:51 And as an aside, if you do decide to go this route, I’d recommend connecting to an obfs4 bridge behind your VPN for optimal fingerprinting protection, rather than meek or Snowflake. The second way they could determine you’re using Tor through a VPN is the scenario we talked about earlier where your VPN provider is compromised or provides such logs to your adversary.
80.  
81. 16:11 As I explained earlier, this scenario is both unlikely and not going to provide much information to law enforcement because they still need to take the additional step of determining what your Tor traffic actually was. That being said, it’s still a potentially valid argument that if all of this occurs, it will make your traffic potentially more valuable to decrypt and therefore law enforcement might spend additional resources on decrypting your Tor traffic after they determined that you made the initial connection through a VPN.
82.  
83. 16:37 I still don’t agree this is a realistic concern for two reasons: First, Many people connect to Tor via a VPN already for various reasons, I don’t think you will stand out significantly more from other Tor users even if you do use a VPN in addition to Tor, as he posits, based on this factor alone. Second, Even if they do put extra effort into decrypting your traffic, this is still a very challenging task to complete.
84.  
85. 17:01 There’s no evidence to suggest that determining what you connected to via Tor with traffic analysis during investigations like this is even possible, so in our worst-case scenario, investigators are still posed with a virtually impossible task anyways. Let’s step back from all of these theories for a second anyways.
86.  
87. 17:20 You know what else makes you stick out on your network? Using Tor! Tor is very easy to identify on your local network if you connect to it directly, and using a bridge doesn’t change that by the way. And unlike a commercial VPN provider, most network monitors unfortunately interpret Tor connections as people who are likely trying to evade authorities, that is just the reality of the situation.
88.  
89. 17:43 In a perfect world, Tor would be seen by authorities as a tool with many uses, like how VPNs are viewed, thanks to the incessant marketing of VPNs as a tool to do mundane things like stream videos. Using a real VPN provides you with better plausible deniability along the lines of “I was just using it to watch Netflix” that Tor simply doesn’t at this time.
90.  
91. 18:06 The ultimate point I’m trying to make with my VPN before Tor recommendation is that such a configuration only provides you with additional privacy protections from your ISP, with the understanding that you all should in theory trust your VPN provider over your ISP anyways. Therefore, any of the potential risks of using a VPN before Tor are basically irrelevant anyways, because we’ve already established that the risks of your ISP having that knowledge are almost certainly higher.
92.  
93. 18:32 If you want more information about that topic, I would suggest reading the VPN overview articles on Privacy Guides.org. — Alright, we’re at the point where I want to share with you my actual advice on this topic. If you live in a free country, are accessing mundane content via Tor, and you aren't worried about your ISP or local network administrators having the knowledge that you're using Tor, you can likely connect to Tor directly via standard means like Tor Browser without worry and without using a VPN.
94.  
95. 19:06 This is helpful on a large scale, because it helps de-stigmatize Tor usage for other users, and gets us closer to the perfect ideal world Tor envisions that we talked about earlier. However, if you already use a trusted VPN provider, or if your threat model includes an adversary which is capable of extracting information from your ISP, or your adversaries include your local ISP itself, or any local network administrators before your ISP, then I think you should almost certainly connect to Tor through a VPN.
96.  
97. 19:36 — Let’s quick run through a few common misconceptions: #1: Using a VPN with Tor makes you stand out more because you’re sending your traffic through “4 hops” - This doesn’t make sense because of how Tor is designed. If you could stand out on the Tor network based on what your network configuration looks like before the Tor connection, this would obviously defeat the purpose of Tor in the first place, because you could be fingerprintable based on your ISP’s configuration.
98.  
99. 20:05 Using a VPN before Tor should not increase your fingerprintability to either the destination or to Tor relays. #2: Similarly, another one is that using a VPN with Tor gives you a “permanent entry mode” - This misunderstands the role that a VPN plays in this situation. Your VPN is replacing your ISP, not any Tor nodes.
100.  
101. 20:29 The reality is that things on your network before your Tor entry node can’t be detected and fingerprinted by observers on the Tor network or at your destination. This is basically the same thing as #1, but I just want to reiterate here that as long as your last three connections are through the Tor network, you’re not losing any benefits of the Tor network by using a VPN too.
102.  
103. 20:49 #3: Is that need to disable the VPN you already use before connecting to Tor. This is basically the crux of what we’ve been talking about throughout this video, but I want it to be clear that if you use a VPN already, there is no reason to disable it before connecting to Tor. Many online resources take the guidance about using a VPN with Tor too far and claim that it’s actively dangerous to do this, and there are no situations where a VPN and Tor can be combined.
104.  
105. 21:16 This isn’t true when you’re connecting to that VPN before Tor, and disconnecting from your VPN just to connect to Tor will only serve to make your network traffic more suspicious, and potentially cause other things on your system which were previously protected by your VPN to leak information. There is no added danger to keeping your VPN connection enabled at all times.
106.  
107. 21:38 — Alrighty! Now that all of this is finally out of the way, let me talk to you about using a VPN with Tor properly. To be absolutely clear, the configuration I’m recommending is that you connect to your VPN first, and then connect to Tor through that VPN. Some VPN providers and other online resources occasionally recommend the other way around, making a connection to your VPN through the Tor network.
108.  
109. 22:03 This is commonly recommended to circumvent things like websites blocking Tor exit node IP addresses, however, this is extremely ill advised. Normally, Tor frequently changes your circuit path through the network. When you choose a permanent destination VPN (connecting to a VPN server after Tor), you're eliminating this advantage and drastically harming your anonymity.
110.  
111. 22:26 It’s difficult to set up a bad configuration like this accidentally, because it usually involves you making deliberate changes to your proxy settings in Tor Browser, or or setting up custom proxy settings inside your VPN client which routes your VPN traffic through the Tor Browser. As long as you avoid these non-default configurations, you're probably fine, but you can always double-check by visiting Tor’s IP check website in Tor Browser.
112.  
113. 22:53 — I hope we’ve established the reasons why I think it makes sense for most people to use a VPN alongside Tor. I just want to leave you with a few final notes: - Tor never protects you from exposing yourself by mistake, such as if you share too much information about your real identity. - Tor exit nodes can modify unencrypted traffic which passes through them.
114.  
115. 23:34 This means traffic which is not encrypted, such as plain HTTP traffic, can be changed by a malicious exit node. Never download files from an unencrypted http:// website over Tor, and ensure your browser is set to always upgrade HTTP traffic to HTTPS. - Tor exit nodes can also monitor traffic that passes through them.
116.  
117. 24:10 Unencrypted traffic which contains personally identifiable information can deanonymize you to that exit node. Again, we recommend only using HTTPS over Tor. If you want to learn more about improving your privacy and security habits overall, again I suggest reading through the knowledge base at privacyguides.org.
118.  
119. 24:32 Finally, thank you for being interested enough in your personal privacy to watch through this video, I hope to post more content on this topic in the future, so get subscribed so you don’t miss out. And please share this video with others who don’t understand the implications of using a VPN before Tor, I hope that this content is able to spur further discussion about this topic.
120.  
121. 24:52 Be sure to leave a comment if you have anything to add or ask, or consider joining the Privacy Guides forum, a great place to get perspectives from many different sources. I’ll see you all in my next video!
122.  
123.