Introduction

There are many discussions on the Tor Mailing list and spread over many forums about combining Tor with a VPN, SSH and/or a proxy in different variations. X in this article stands for, "either a VPN, SSH or proxy". All different ways to combine Tor with X have different pros and cons.

General

Anonymity and Privacy

You can very well decrease your anonymity by using VPN/SSH in addition to Tor. (Proxies are covered in an extra chapter below.) If you know what you are doing you can increase anonymity, security and privacy.

Most VPN/SSH provider log, there is a money trail, if you can't pay really anonymously. (An adversary is always going to probe the weakest link first...). A VPN/SSH acts either as a permanent entry or as a permanent exit node. This can introduce new risks while solving others.

Who's your adversary? Against a global adversary with unlimited resources more hops make passive attacks (slightly) harder but active attacks easier as you are providing more attack surface and send out more data that can be used. Against colluding Tor nodes you are safer, against blackhat hackers who target Tor client code you are safer (especially if Tor and VPN run on two different systems). If the VPN/SSH server is adversary controlled you weaken the protection provided by Tor. If the server is trustworthy you can increase the anonymity and/or privacy (depending on set up) provided by Tor.

VPN/SSH can also be used to circumvent Tor censorship (on your end by the ISP or on the service end by blocking known tor exits).

VPN/SSH versus Proxy

The connection between you and the VPN/SSH is (in most cases, not all) encrypted.

On the other hand the connection between you and an OpenProxy is unencrypted. An 'SSL proxy' is in most cases only a http proxy which supports the connect method. The connect method was originally designed to allow you to use to connect using SSL to webservers but other fancy things such as connecting to IRC, SSH, etc. are possible as well. Another disadvantage of http(s) proxies is, that some of them, depending on your network setup, even leak your IP through the 'http forwarded for' header. (Such proxies are also so called 'non-anonymous proxies'. While the word anonymous has to be understood with care anyway, a single OpenProxy is much worse than Tor).

Also read Aren't 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor.

VPN versus SSH or Proxy

VPN operates on network level. A SSH tunnel can offer a socks5 proxy. Proxies operate on application level. These technical details introduce their own challenges when combining them with Tor.

The problematic thing with many VPN users is, the complicated setup. They connect to the VPN on a machine, which has direct access to the internet.

the VPN user may forget to connect to the VPN first

without special precautions, when a VPN connection breaks down (VPN server reboot, network problems, VPN process crash, etc.), direct connections without VPN will be made.

To fix this issue you can try something like ​VPN-Firewall.

When operating on the application level (using SSH tunnel socks5 or proxies), the problem is that many applications do not honor the proxy settings. Have a look into the Torify HOWTO to get an idea.

The most secure solution to mitigate those issues is to use transparent proxying, which is possible for VPN, SSH and proxies.

You -> X -> Tor

Some people under some circumstances (country, provider) are forced to use a VPN or a proxy to connect to the internet. Other people want to do that for other reasons, which we will also discuss.

You -> VPN/SSH -> Tor

You can route Tor through VPN/SSH services. That might prevent your ISP etc from seeing that you're using Tor (VPN/SSH Fingerprinting below). On one hand, VPNs are more popular than Tor, so you won't stand out as much, on the other hand, in some countries replacing an encrypted Tor connection with an encrypted VPN or SSH connection, will be suspicious as well. SSH tunnels are not so popular.

Once the VPN client has connected, the VPN tunnel will be the machine's default Internet connection, and TBB (Tor Browser Bundle) (or Tor client) will route through it.

This can be a fine idea, assuming your VPN/SSH provider's network is in fact sufficiently safer than your own network.

Another advantage here is that it prevents Tor from seeing who you are behind the VPN/SSH. So if somebody does manage to break Tor and learn the IP address your traffic is coming from, but your VPN/SSH was actually following through on their promises (they won't watch, they won't remember, and they will somehow magically make it so nobody else is watching either), then you'll be better off.

You -> Proxy -> Tor

This does not prevent your ISP etc from seeing that you're using Tor because the connection between your and the proxy is not encrypted.

Sometimes this prevents Tor from seeing who you are depending on the configuration on the side of the proxy server. So if somebody does manage to break Tor and learn the IP address your traffic is coming from, but your proxy does not log an the attacker didn't see the unencrypted connection between your and the proxy, then you'll be better off.

You -> Tor -> X

This is generally a really poor plan.

Some people do this to evade Tor bans in many places. (When Tor exit nodes are blacklisted by the remote server.)

(Read first for understanding: How often does Tor change its paths?.)

Normally Tor switches frequently its path through the network. When you choose a permanent destination X, you give away this advantage, which may have serious repercussions for your anonymity.

You -> Tor -> VPN/SSH

You can also route VPN/SSH services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN/SSH exit nodes, you at least get to choose them. If you're using VPN/SSHs in this way, you'll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc).

However, you can't readily do this without using virtual machines. And you'll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.

Even if you pay for them anonymously, you're making a bottleneck where all your traffic goes -- the VPN/SSH can build a profile of everything you do, and over time that will probably be really dangerous.

You -> Tor -> Proxy

You can also route proxy connections through Tor. That does not hide and secure your Internet activity from Tor exit nodes because the connection between the exit node to the proxy is not encrypted, not one, but two parties may log and manipulate your clear traffic now. If you're using proxies in this way, you'll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc) or use free proxies.

One way to do that is proxychains. Another way would be to use a Transparent Proxy and then either proxify (set proxy settings) or socksify (use helper applications to force your application to use a proxy) the programs you want to chain inside your Transparent Proxy client machine.

You -> X -> Tor -> X

No research whether this is technically possible. Remember that this is likely a very poor plan because you -> Tor -> X is already a really poor plan.

You -> your own (local) VPN server -> Tor

This is different from above. You do not have to pay a VPN provider here as you host your own local VPN server. This won't protect you from your ISP of seeing you connect to Tor and this also won't protect you from spying Tor exit servers.

This is done to enforce, that all your traffic routes through Tor without any leaks. Further read: TorVPN. If you want this, it may unnecessary to use VPN, a simple Tor-Gateway may be easier, for example ​Whonix.

VPN/SSH Fingerprinting

Using a VPN or SSH does not provide strong guarantees of hiding your the fact you are using Tor from your ISP. VPN's and SSH's are vulnerable to an attack called Website traffic fingerprinting 1. Very briefly, it's a passive eavesdropping attack, although the adversary only watches encrypted traffic from the VPN or SSH, the adversary can still guess what website is being visited, because all websites have specific traffic patterns. The content of the transmission is still hidden, but to which website one connects to isn't secret anymore. There are multiple research papers on that topic. 2 Once the premise is accepted, that VPN's and SSH's can leak which website one is visiting with a high accuracy, it's not difficult to imagine, that also encrypted Tor traffic hidden by a VPN's or SSH's could be classified. There are no research papers on that topic.

What about Proxy Fingerprinting? It has been said above already, that connections to proxies are not encrypted, therefore this attack isn't even required against proxies, since proxies can not hide the fact, you're using Tor anyway.

1 See ​Tor Browser Design for a general definition and introduction into Website traffic fingerprinting.

2 See slides for ​Touching from a Distance: Website Fingerprinting Attacks and Defenses. There is also a ​research paper from those authors. Unfortunately, it's not free. However, you can find free ones using search engines. Good search terms include "Website Fingerprinting VPN". You'll find multiple research papers on that topic.



See also

Practical

If you still want to combine Tor with a proxy, all combinations are possible using ​ Whonix (anonymous general purpose operating system). Whonix's optional configurations document this.

References