![pr0paganda](https://pic-cc.com/data/avatars/m/170/170225.jpg?1731977239"){kind=avatar}
pr0paganda
Supreme
- Joined
- 18.11.24
- Messages
- 3
- Reaction score
- 0
- Points
- 1
Combining Tunnels with Tor
Information on whether Tor gets more or less secure when combining Tor with tunnels such as VPN, SSH, proxies. (User → Tor → proxy/VPN/SSH → Internet) (User → proxy/VPN/SSH → Tor → Internet)Comparison Table
| User → Proxy → Tor → Internet | User → VPN / SSH → Tor → Internet | User → Tor → Proxy / VPN / SSH → Internet |
Changes IP that Destination Websites (such as IP check websites) can see | No | No | Yes, if correctly configured. |
Evade Website Tor Bans | No | No | Maybe |
Evade Network Censor Tor Bans | Maybe | Maybe | No |
No Loss of Stream Isolation | Yes | Yes | No |
Browser Web Fingerprint is not Worsened | Yes | Yes | No |
Extra Tunnel Link does not Require Reconfiguration of Pre-configured Software | Yes | Yes | No |
No Permanent Exit Relay | Unaffected | Unaffected | No |
Tor Onion Services (.onion) Connections | Yes | Yes | No |
Hosting Location Hidden Services | No | No | Proxy: No VPN: If the VPN supports Remote Port Forwarding, yes SSH: If the SSH supports Remote Port Forwarding, yes |
Increased Tunnel Length | Yes | Yes | Yes |
Anonymity Effects | Disputed | Disputed | Disputed |
Tunnel UDP over Tor | No | No |
Connecting to a Tunnel-link (Proxy/VPN/SSH) before Tor
Domain | Description |
Connection Scheme | User → proxy/VPN/SSH → Tor → Internet |
Network Traffic | In this case, your Internet traffic will: pass through the ISP as proxy/VPN/SSH traffic; exit the proxy/VPN/SSH server as encrypted Tor traffic; enter the Tor network; and exit the Tor network at a Tor exit node as normal Internet traffic (encrypted or unencrypted). |
Use Cases | You must connect to a VPN or proxy to access the Internet. Your ISP blocks Tor and Tor bridges but does not block the tunnel-link. Concerns exist over de-anonymizing attacks against the Tor network and a user believes a VPN or proxy may help protect their identity in such a case. |
Warnings | A VPN or proxy that knows your identity and/or location may be more willing and able to compromise your privacy than an ISP. If the software configuration does not block all traffic if/when the VPN connection suddenly disconnects, all encrypted Tor traffic will pass through the ISP without warning. This is the default for most VPN configurations and not a Host-specific issue. Workarounds are described in the links below. If Tor use is dangerous in your area, VPNs or SSH may provide insufficient protection (due to software misconfiguration or sophisticated packet inspection). Proxies do not provide encryption and should not be used to try and hide Tor. |
Connecting to Tor before a Tunnel-link (Proxy/VPN/SSH)
Domain | Description |
Connection Scheme | User → Tor → proxy/VPN/SSH → Internet |
Network Traffic | In this case, your Internet traffic will: pass through the ISP as encrypted Tor traffic; exit the Tor network at a Tor exit node as proxy/VPN/SSH traffic; and exit the proxy/VPN/SSH as normal Internet traffic (encrypted or unencrypted). |
Use Cases | It is necessary to use a VPN or proxy anonymously for a specific reason. It is necessary to connect to an Internet server who bans Tor exit nodes. Concerns exist over de-anonymizing attacks against the Tor network and a user believes a VPN or proxy may help protect their identity in such a case. |
Warnings | Even though Tor will hide the IP address from the VPN or proxy, you can still be located via payment methods, usage logs, or other identifying information the tunnel-link service holds. This configuration prevents access to Tor onion (.onion) services. Malware on Host-Workstation cannot bypass Tor, but it can ignore the VPN or proxy unless a separate Tunnel-Gateway is configured. It is not simple to configure VPNs, SSH or proxies in a foolproof, leak-free manner. However, in the case of Host it is impossible for traffic to bypass Tor, even if the VPN or proxy is misconfigured. When connecting to Tor before a tunnel link, the browser tab stream isolation feature of Tor Browser will be lost (or difficult to access). The reason is Tor Browser will not talk to Tor directly anymore, but will connect to the tunnel-link instead. When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH →) Tor → Proxy / VPN / SSH → Tor Browser → Website are unknown. This setup is so specialized that very few people are likely to configure it, reducing the Tor Browser user pool to a far smaller subset. Due to potential fingerprinting harm it is recommended against. If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (like Firefox or Chrome). This would further exacerbate the browser fingerprinting risk. |
Maybe it will be useful for someone.
Regards
