Thanks for your guide!
However, there are many considerations one has to take when using a VPN + Tor.
There are multiple setups for Tor+VPN and yours is a Tor-Over-VPN (if i am not mistaken). This will tunnel all your Tor traffic over your VPN.
There are only these reason to do this that i can think of:
- You want to conceal that you are using Tor against your ISP or other network side adversaries that are placed on the route before your guard.
- Tor is blocked in your location but you want to use it anyways.
- You want to add another layer of protection, in case your adversary can break Tor.
There are a few problems.
1. Concealing Tor usage.
It is impossible to conceal Tor usage against a reasonably skilled an motivated adversary.
If your ISP (usually when ppl say ISP in this context, they mean gov) really wants to see if you are using Tor they can.
Empty Tor cells that are send to keep open your connection have a specific size that does not get obfuscated too well by your VPNs padding.
Additionally Tor connections have very specific timing patterns that can be used to detect Tor usage with a very high degree of certainty. something like 99.99%, **even when obfuscated with pluggable transport or VPNs. (I have a scientific paper as a source but cannot find it at this moment. Will search more when requested)
2. Avoid Tor censorship
This might actually work. Chances are tho, that VPN connections are also blocked if your gov decides on blocking Tor. Blocking VPN connections is much easier than blocking Tor+PL, which is why the official recommendation is to use Pluggable Transport and Bridges in this case.
3. Another layer of protection
Honestly: If your adversary can break Tor somhow reliably, which there is no real indication btw, he will laugh at your VPN. In this case we are talking about a fully or at least greatly global adversary. With traffic correlation a VPN will not provide any additional protection. All you do is to shift the trust in your ISP to a VPN.
Of course, this is dependent on threat model and specific case, but i would argue that a VPN, which is usually used for “shady traffic” is under much more surveillance by your adversary than all ISPs. Many attacks on Tor anonymity need your adversary to listen on the connection between you and your guard. It just makes a lot of sense for an adversary planning on de anonymizing people to very closely monitor traffic to VPNs. Monitoring ISPs is another option, but this is much more costly because there are many more ISPs than VPNs.
Here are other sources for this:
Matt traudt
Whonix wiki
Torproject FAQ
Tor trac