Tor and VPNs are both privacy tools, but they work in fundamentally different ways and protect against different threats. Combining them sounds like it should double your privacy, but the effectiveness depends entirely on the order in which you layer them. “VPN over Tor” and “Tor over VPN” are not just different configurations — they have different threat models, different weaknesses, and suit different use cases.
Quick Definitions
Tor routes your traffic through three volunteer-operated relays (guard, middle, exit). Each relay only knows the previous and next hop — no single relay knows both who you are and what you are accessing. Exit node operators can see unencrypted traffic (use HTTPS to mitigate this).
A VPN creates an encrypted tunnel between your device and the VPN server. Your ISP sees encrypted traffic to the VPN. The VPN provider sees your real IP and where you are connecting to. You are trusting the VPN provider.
Tor over VPN (VPN then Tor)
In this configuration, you connect to your VPN first, then your traffic enters the Tor network.
Your Device > VPN Server > Tor Guard > Tor Middle > Tor Exit > DestinationHow It Works
Your device connects to the VPN. All traffic, including your Tor connection, goes through the encrypted VPN tunnel. The Tor guard node sees the VPN server’s IP, not your real IP. Your ISP sees only that you are connected to a VPN.
What It Protects
- From your ISP: They see VPN traffic, not Tor usage. In some regions, Tor connections are flagged or throttled — a VPN can mask this.
- From Tor guard nodes: Your real IP is not exposed to the Tor entry node; the VPN IP is.
- From timing attacks by the VPN provider: The VPN cannot see what you are doing inside Tor, only that you are using Tor.
What It Does NOT Protect
- From the VPN provider itself: The VPN sees your real IP and knows you are connecting to Tor. If the VPN logs, they can link your identity to Tor usage.
- From Tor exit node monitoring: Same as standard Tor — use HTTPS.
When to Use Tor over VPN
- Your ISP throttles or blocks Tor and you need a bridge
- You want to hide Tor usage from your ISP
- You trust your VPN provider more than you trust your ISP
Any VPN works for Tor over VPN — connect to the VPN, then open Tor Browser. No special configuration is needed.
VPN over Tor (Tor then VPN)
In this configuration, you connect to Tor first, then your traffic exits through the VPN server.
Your Device > Tor Guard > Tor Middle > Tor Exit > VPN Server > DestinationHow It Works
Your traffic enters the Tor network. After exiting Tor, it connects to a VPN server. The destination sees the VPN server’s IP. Your real IP is never exposed to the VPN — Tor hides it. The VPN provider sees the Tor exit node’s IP, not yours.
Technical Challenge
Most VPN clients are not designed for this setup. To route VPN traffic through Tor:
- Start Tor (SOCKS5 proxy on
127.0.0.1:9050) - Configure your VPN client to use the Tor SOCKS proxy
- Or use a VPN that natively supports connecting over Tor
This requires careful configuration to avoid IP leaks.
What It Protects
- From the VPN provider: They see a Tor exit node IP, not your real IP.
- From destination sites: They see the VPN IP, not a Tor exit node IP — sites that aggressively block Tor exits will accept this.
- Circumventing Tor exit blocks: If a site blocks all known Tor exits, VPN over Tor lets you appear as the VPN IP.
When to Use VPN over Tor
- You need to access sites that block Tor exit nodes (banking, government portals)
- You want a consistent exit IP address across a session
- You do not want the VPN to ever learn your real IP
VPNs That Support Onion over VPN
- Mullvad VPN — accepts connections over Tor natively;
.onionaddresses available; strong no-logs track record with independent audits - ProtonVPN — has Tor-enabled servers labeled “TOR” in their app
With Mullvad using OpenVPN over Tor, add to your .ovpn config:
socks-proxy 127.0.0.1 9050Ensure Tor is running first, then connect the VPN.
Side-by-Side Comparison
| Factor | Tor over VPN | VPN over Tor |
|---|---|---|
| Your IP to Tor guard | VPN IP (hidden) | Your real IP (normal Tor) |
| Your IP to VPN provider | Your real IP | Tor exit IP (hidden) |
| Your IP to destination | Tor exit IP | VPN server IP |
| ISP sees Tor usage | No (sees VPN) | Yes |
| VPN provider knows your IP | Yes | No |
| Works with most VPNs | Yes | No (limited support) |
| Tor exit blocks at destination | Still possible | Bypassed |
| Setup complexity | Low | High |
Which Should You Choose?
Use Tor over VPN if:
- You want to hide Tor usage from your ISP
- You are in a country that restricts or monitors Tor
- You want a simpler setup with any VPN provider
- You trust your VPN more than your ISP
Use VPN over Tor if:
- You do not want the VPN provider to ever know your IP
- You need to access sites that block Tor exit nodes
- You need a stable exit IP during a session
- You use Mullvad or ProtonVPN which support it properly
Use plain Tor if:
- You have no VPN you trust
- You want maximum circuit diversity
- Adding a VPN would introduce unnecessary trust
Common Mistakes to Avoid
- Never log into personal accounts over Tor — this links a session to your identity regardless of VPN layers
- Never use a free VPN with Tor — free VPNs almost universally log and monetize traffic
- Do not assume the combination is foolproof — both components still have weaknesses; you are mitigating specific threats, not all threats
- Check for DNS leaks — verify your DNS goes through the intended path with a tool like dnsleaktest.com after setup
Neither configuration is universally superior. The right choice addresses your specific threat model. Most users are better served by Tor alone or Tor over VPN with a trusted no-logs provider than by attempting the more complex VPN over Tor configuration incorrectly.