Cs leek and onion soup image 02 small

VPN-over-Tor


As shown in the table of investigative resources in the Leak and Onion Soup guide, there are some useful web services that reject Tor users as a matter of policy. If you need anonymous access to these sites — or if you need to access them at all while using Tails — your requests will need come from somewhere other than a known Tor exit relay. One way to achieve this, while still enjoying most of the anonymity benefits of Tor, is to add a VPN "hop" after the exit relay at the end of your Tor circuit.

This method is often called "VPN over Tor" to distinguish it from "Tor over VPN" configurations, which work in the opposite direction. (Routing Tor over a VPN adds a VPN hop before your Tor entry relay and is sometimes used to reach the Tor network from locations where it is blocked. We will not be discussing this technique in detail because Tor bridge relays are generally considered a better way to achieve that goal.)

Risks

It is important to understand that supplementing Tor with a VPN does not strengthen the security or the anonymity of your online activities. In fact, it reduces your anonymity in significant ways that we will discuss below. The only reason you should use a VPN over Tor is to gain access to services that block Tor users.

The Tor Project wiki includes an explanation of the risks associated with this configuration, but we will summarise the three main points below.

1. A VPN over Tor does not support "circuit switching":

Tor normally allows different network requests to use different paths through the Tor network, which means they often come from different exit relays with different Intenet addresses. By contrast, all traffic using a VPN connection over Tor will appear to have come from the same location (your VPN server). This is, of course, the point. But it also allows the websites you visit to correlate your traffic more easily.

Here is a simplistic example:

  • You sign into some service with your normal username. An email account, say, or a discussion forum where you need to post with your real identity.

  • In another tab, you sign into a service with a pseudonymous account. (See our Domain Games resource for an explanation of pseudonymity and few concrete examples.)

  • Over time, anyone with the abilitiy to compare traffic records or access logs from both services will have a good chance of figuring out that these two accounts belong to the same person. And this might be easier than it sounds if both sites rely on the same advertising platform or content delivery network (CDN), for example, or if they are subject to ongoing passive surveillance.

2. The anonymity of a VPN over Tor depends entirely on the anonymity of your VPN:

One of the reasons people use Tor is because it provides anonymity that does not require trusting the technical competence of a particular service or its commitment to the privacy of its users. But if you add a VPN server to the mix this way, it will be the thing that connects directly to the services you access. So if your VPN provider is compromised (or sells you out), then the fact that you used Tor to get there may become irrelevant. Ideally, you should:

  • Find a VPN service you trust;
  • Make sure it supports the OpenVPN protocol;
  • Create your account on that service using the Tor Browser or Tails;
  • Register with a pseudonym and an email address that cannot be linked to you;
  • Use an anonymous payment method (as discussed in the Domain Games resource) if necessary; and
  • Do not connect through the VPN or administer your account unless you are using the Tor Browser or Tails.

3. You should only use a VPN over Tor when you absolutely must

The technique discussed below allows you to have two versions of the Tor Browser running at the same time. One will work normally and the other will route your VPN over Tor. For the reasons mentioned above, you should use the non-VPN instance of Tor Browser wherever possible, even if it means having to slog through CAPTCHAs periodically.

Finally, keep in mind that some websites block access from VPNs, as well. According to one researcher's experiment, however, only 11 of Alexa's "top 1000" websites block VPN users, whereas 40 block Tor users. (In an ironic twist, this researcher's blog is itself inaccessible from at least some Tor exit nodes. So, if you're using Tails, you might have to finish working through this guide before you can have a look.) The Tor Project also maintains a wiki page that lists websites known to be inaccessible from Tor.

Configuring a VPN to work over Tor on Tails

This guide was written for Tails and has not been tested with the Tor Browser running on a regular Linux system. It will not work on Windows or Mac OS X devices either, although one could probably modify the vot.sh script, and the steps below, to achieve the same result on those operating systems.

Once you have booted Tails with persistence enabled, preparing your Tails system to use a VPN over Tor requires five steps. You will only have to go through this process once:

  1. Register anonymously with an OpenVPN provider and choose a strong passphrase
  2. Memorize that passphrase or record it securely using KeePassX
  3. Download your VPN provider's .pem CA certificate to the appropriate location and rename it
  4. Make sure you have a properly named and configured .ovpn file in the appropriate location
  5. Download the vot.sh script that you will use to activate the VPN over Tor

Step 1: Register with an OpenVPN provider

For the rest of this guide, we will be using the VPN "Red" service provided by RiseUp. This is a free, privacy oriented service that is well configured and run by a trustworthy organisation. In order to create an account, you will need an "invite code" from a current RiseUp user. If you have one, you can go to the new account page, choose a username that does not provide any hints to your real identity and set a strong passphrase. You should do all of this through the Tor Browser or while running Tails.

If you do not know any RiseUp users from whom to request an invite code — or if you are concerned about being seen to use a VPN that is clearly associated with activists — you can try to tailor the instructions below to work with any OpenVPN provider. If you choose a commercial service, you might want to refer to the Domain Games resource for information about making online purchases anonymously.

Step 2: Record your new account information in KeePassX

Rather than trying to memorise yet another username and passphrase, we recommend that you save it in KeePassX, which comes pre-installed on Tails. This will also help you remember not to use this VPN outside of Tails, which is important for anonymity.

Step 3: Download your provider's CA certificate

The security of your VPN connection depends on obtaining the correct CA certificate from your provider. When downloading certificates, be sure to use an HTTPS link that points to a webpage run by your provider. You can download the RiseUp certificate here and learn more about why it matters here.

Many commercial VPNs come with an installer that includes the CA certificate along with a pre-configured OpenVPN client. We do not recommend running installers like this on Tails, but if you are modifying this guide to work on a regular Linux system and cannot find a secure download link for your provider's CA certificate, you might have to install their software and hunt around on your system to find the certificate so you can copy it to the correct location as shown below.

Download the RiseupCA.pem file from the link above, save it to /home/amnesia/Tor Browser, then run the commands below in Terminal:

mkdir /home/amnesia/Persistent/vpn
cp /home/amnesia/Tor\ Browser/RiseupCA.pem /home/amnesia/Persistent/vpn/vot-ca.pem

These commands will:

  1. Create a folder called vpn inside the Tails persistence directory,
  2. Move the CA certificate there, and
  3. Rename it vot-ca.pem.

Step 4: Create the OpenVPN configuration file

RiseUp's recommended configuration is here. Below is a simplified version with a few minor changes to make it compatible with our VPN over Tor setup.

client
cipher AES-256-CBC
auth SHA256
dev tun
auth-user-pass
proto tcp
remote vpn.riseup.net 443
ca /etc/openvpn/vot-ca.pem
nobind
persist-tun
persist-key
resolv-retry infinite
remote-cert-tls server
chroot

Copy the text above, then run the following command in Terminal to open a text editor and create a new file called vot.ovpn inside the vpn folder:

gedit /home/amnesia/Persistent/vpn/vot.ovpn

Now paste in the configuration above, click [Save] and quit the editor.

Step 5: Download the vot.sh script

The script that will install a temporary copy of the OpenVPN client and use it to connect to your provider through Tor is here. Copy the contents of that script, then run the following commands in Terminal to create a new folder called bin inside the Tails persistence directory and a new file called vot.sh inside that folder:

mkdir /home/amnesia/Persistent/bin
gedit /home/amnesia/Persistent/bin/vot.sh

Now paste in the contents of the script from the link above, click [Save] and quit the editor. Finally, run the following command in Terminal to make this script executable:

chmod u+x /home/amnesia/Persistent/bin/vot.sh

Launching a VPN over Tor

After you have completed the initial configuration steps above, activating your VPN over Tor requires four steps:

  1. From Terminal, run the vot.sh script, which will install the necessary software, configure the OpenVPN client to use Tor and request your username and passphrase so it can connect to your VPN service through Tor;
  2. From a new Terminal window, launch a second instance of the Tor Browser with permission to connect through the VPN;
  3. Disable a proxy setting in the new Tor Browser window; and
  4. Disable a DNS configuration option in the new Tor Browser window.

Step 1: Run the vot.sh script

Launch a new Terminal window and run the script with:

sudo ~/Persistent/bin/vot.sh

Enter your Tails administrative passphrase when prompted. When it is ready to connect, the script will ask for your VPN username and passphrase as well.

Launch Terminal Run vot.sh Sign into the VPN VPN running

When the vot.sh script stops scrolling — assuming it did not exit back to the prompt — your VPN connection should be ready. This typically happens the second time it says, "Initialization Sequence Completed."

Step 2: Launch a new Tor Browser instance

When your VPN connection is ready, you will need to open yet another Terminal window and launch a second instance of the Tor Browser with the following command:

sudo -u vpnuser tor-browser --new-instance

Unlike the regular Tor Browser, this instance will send your traffic through a VPN server after it leaves the Tor network:

Launch new Tor Browser New Tor Browser launched New Tor Browser

As shown above, you will likely see a number of warnings and errors in the terminal while this instance of the Tor Browser is active.

Step 3: Reconfigure your new Tor Browser instance

Before you can use your new Tor Browser to visit websites that block access from Tor, you will need to modify its configuration in two ways:

  1. Disable Tor's SOCKS proxy using the Tor Browser's Preferences screen
  2. Disable the network.proxy.socks_remote_dns configuration using the about:config page

These modifications would normally be a very bad idea because they essentially tell your browser not to use Tor. Thanks to the vot.sh script, however, we now have a VPN connection that does go through Tor. And this version of the Tor Browser will be configured to use it. Just make sure you are modifying the correct instance of Tor Browser!

Follow the steps below to change its proxy settings:

Preferences General preferences Advanced preferences Network preferences Network settings Disable proxy for this instance

Then type about:config into the URL bar, search for remote_dns and follow the steps below to change how it handles remote DNS queries:

about:config warning about:config screen Search for remote_dns Set remote_dns to false

You should now be able to visit websites — including those that block access from Tor — using the windows and tabs of your new Tor Browser instance.

Note: In this new browser, pressing the <Enter> key after typing in a URL may not load the page as it normally would. To load a URL, simply press the arrow button to the right of the Address Bar instead of pressing <Enter>. Don't worry, links still work normally, as does the right-click option to Open Link in New Tab. (If it helps, think of this as a security feature designed to prevent you from accidentally using the wrong browser.)

The Tails website through Tor and a VPN The OpenCorporates website through Tor and a VPN

Keep in mind that if you visit the Tor Check website, it will indicate that Tor is not working. This is because your connection to that page does not come directly from a Tor exit relay. Similarly, if you visit a website designed to show you your own IP address, it should display the address of your VPN server:

Apparent IP address is not a Tor relay Apparent IP address is a VPN

 

As mentioned earlier, even though the vot.sh script prevents you from reaching your VPN without first going through Tor, this setup is still less anonymous than using the Tor Browser normally. So be sure to keep track of which window is which, and only use the Tor-over-VPN instance when you absolutely must.

When you are done accessing sites that block access from Tor, you can shut everything down by restarting Tails or by:

  1. Quitting out of the new Tor Browser instance,
  2. Quitting the vot.sh script by pressing <Ctrl-C> in the terminal where it is running, and
  3. Waiting for Tor to reconnect.