I am looking for maximum online privacy, should I use Tor, VPN, or both. If both, in which order and what are the benefits of starting with one over the other?
Before we address the question above, let us start by a snippet of how both Tor and VPN works. Beginning with Tor. The onion router, commonly known as Tor is an anonymous network first developed by the U.S. Naval Research Lab.
What is Tor?
There is no authoritative source with records of just how many people use Tor, and there shouldn’t be any. After all, it is an anonymous network. Though according to the Tor Metric page, the network has at least two million users on any given day.
When using Tor, data from your computer is passed through thousands of volunteer-run Relays (servers), which hide your identity and location. However, some websites have started blocking data from relays they have since established to be of Tor networks.
Government and other adversaries online have the capacity of monitoring data on know entrances to the Tor network (the Guard Relays and Exit Relays). From here, they can work their way back to reveal the identity of the anonymous user.
What is VPN?
A Virtual Private Network (VPN), is a tunnel that provides encrypted passage of data from your computer to their servers (the VPN servers). Data is then relayed to the internet (target websites) from the VPN servers and from the servers relayed back to your computer via an encrypted tunnel.
As it works out, the target websites will know it is communicating with the VPN server and not your computer. Thereby, your location and identity remain unknown to the website. Additionally, your ISP will simply see data being relayed between your computer and the VPN server, but they will not know the information of that data since it is encrypted.
To discourage people from masking their location and identity, some website (just like what they do with Tor) are blocking known VPN server access. Governments too can compel the companies providing the VPN services to share your data with them.
It has been said: “no VPN service provider will go to prison just to protect their subscriber paying some $20 per month.”
As things stand, both VPN and Tor don’t provide you foolproof protection of your location and identity. However, you can be better secured by combining the two; though there some experts who argue against it. Even then, you will not be completely eliminating the risks.
Tor over VPN route
For instance, you are visiting innov8tiv.com website. In Tor over VPN setup, your ISP will still know your IP address and can see you are connected to a VPN, though they cannot see the data being transmitted back and forth your computer and VPN server.
After you launch the Tor browser and enter the address innov8tiv.com. The browser will establish a path via the Tor network and encrypts all the data your computer is sending to innov8tiv.com. The VPN server can see you are transmitting encrypted data to a Tor Guard Relay.
Data from your computer first passes through the VPN server but is still encrypted by the Tor browser as it proceeds towards innov8tiv.com. Though it never directly reaches the site straight from the VPN server, but instead get routed through the Tor network.
On the Tor network, it first enters the Guard Relay, where it is received as coming from the VPN server (not your computer). The Guard Relay will strip the outermost layer of encryption, and pass the date to the Middle Relay.
The Middle Relay will further strip off the next encryption layer and pass it forward to the Exit Relay. The Exit Relay will now strip off the final layer of Tor browser encryption and sent the unsecured data (request) to innov8tiv.com. At the Exit Relay, it is possible to read the message contained in the data, but there is no way of establishing the IP address.
Innov8tiv.com will then answer the request by passing the data back to the Exit Relay, which will place the first encryption. From there, passed to Middle Relay, which will add another layer of encryption. Then passed to the Guard Relay, which will also add another layer of encryption before passing it back to the VPN server.
The VPN server will add another layer of encryption to data it cannot read, and relay it back to your computer. Though your ISP can see the data back and forth your VPN and your computer, it has no way of knowing what information is contained therein.
VPN over Tor route
The other option would be first to launch your browser, enter the address (for instance innov8tiv.com) and then establish a connection on your VPN service. The data exiting Tor Exit Relay will still be encrypted by the VPN.
You should know implementing VPN over Tor is much harder than Tor over VPN. Also, when using this option, you will not be able to use Tor’s Onion Services. Though this is a great option if you do not trust your VPN service provider since they will only see the Tor Exit Relay and not your actual IP address.
It is also useful if you want to circumvent the website blockade to the Tor Exit Relays, since the data they (website) receive will be from the VPN server. This route is also ideal if you want to choose the VPN server in certain locations so you can circumvent geo-blocked content.
Though this is not conclusive, there are situations where Tor over VPN would be recommended and in other VPN over Tor. However, for the general use, Tor over VPN is recommended since it is less hard on the user to set up.
Nonetheless, no matter which route you choose, your ISP will be able to notice data from your computer is first being routed through a VPN (in a Tor over VPN setup) or through the Tor network (in a VPN over Tor setup).
Some ISP pick such activities as red flags and put them up for closer scrutiny. Please note, that if the authorities come knocking at your ISP doors with court orders, they will readily submit your activity logs to them. Hell, they don’t even need a court order to surrender your activities logs, some sell your data to the highest bidder.
When your data get handed over to people with the right resources and technical skills, they will be able to crack through the encryption and know your IP address and location. But using the combination of both VPN and Tor makes their work a lot harder, and some can give up along the way.