In Hitchhiker’s guide to anonymity the best scheme to use is Tor over VPN over TOR. However, i need to hide my Tor activity from my ISP and in my country Tor is banned, so i need a VPN in the beginning of the scheme. Is there a guide on how to setup such scheme? Can i clone this guy networking, is it safe to use?
That’s interesting. Have you tried bridges?
I think that by using monero paid VPN i will be more stealthy and hide my activity fully from ISP, since like at least 25% of our country’s population uses VPNs. Also, our country actively bans bridges and getting one that isn’t banned without using gmail or telegram(which is not anonymous) is difficult
But you add another link to your security chain that way. AFAIK use of VPN with tor is not recommended. Tor is vpn.
Unless your concern is legal pursuit just for the fact that you use tor, I believe you’re better off using tor bridges. Additionally, it should be faster that way.
Or use only VPN for that matter.
Alternatively, if your task is to bypass government’s efforts to block stuff, use ssh tunnels to private servers. As long as the server is not known to provide the bypass, it is very unlikely to get blocked.
edit: I think some VPN providers did exactly that at some point. Don’t hire them. Since their servers are used by many people, it is relatively easy to sus them out.
I’m just replacing my ISP with another one, its certanly wont degrade my anonymity
I would rather put that into “depends on your threat model” category. It is positive if your ISP is likely to be a threat, and negative if VPN is likely to be a threat. Basically depends on who wants to get you. Tor is useful against both (again, unless the use of tor itself is evidence, check your legal system).
Keep in mind that the use of VPN does not magically remove your ISP from the equation. Deanon by correlation is a thing.
I think that my ISP glows more that MullvadVPN or IVPN does. Also, unobfuscated usage of tor(without vpn) can lead to activity correlation attacks(user posted something in 20:10, see who was connected to tor in 20:10, exclude from the list of suspects the ones who are not connected, repeat until one person remains) by itself and its easier to perform such attacks that rather than general traffic correlation attack
Although I do agree that ISPs in general glow more than VPNs, the use of VPN does not remove the problem of ISP. Much worse is the fact that VPN doesn’t need to glow to be a threat because jurisdictions and laws exist. Loglessness is not useful if powerful entity is targeting you - they can “convince” VPN to let them monitor everything. This is much harder to do when you randomly picking tor nodes and there is no hop in between to take control of.
Please, tell me more. How is that easier to get a correlation attack on tor in comparison with VPN+tor? It should be identical, especially if your ISP glows. But tbh all non-redundant solutions will expose you to a possibility of a correlation attack. In case of your ISP glowing, have a backup connection not directly related to you and UPS. And if you use tor directly - set more bridges, and don’t use them immediately after acquiring.
There is nothing particularly deanonymizing about openly using tor. In fact, it is better for the network because the more people openly use it the harder it gets to find who does what, the more plausible deniability it gets, and it might make it harder to lobby against.
Edit: Actually, you don’t even need to trust me. I’ve just stumbled upon this article while reading about minimal templates:
Because if i use VPN my ISP doesn’t know what i am accessing with VPN and if i am accessing Tor, so it can’t log the time that i accessed the Tor at and correlate that to my activity on, for example, a forum and over a long time of activity under a persistent identity on a forum it can certanly say that my real indentity is tied to the virtual one based on times real me accessed tor and virtual me logged on forum and posted something. With VPN its possible to perform such attacks but its significantly harder.
My country is not really a democratic one and tor is already banned
They don’t know what you’re accessing over tor either, and they can correlate both. Check the article.
Tor removes one of the entities you need to trust with no loss.
If you are doing anything that must be hidden, please never use persistent identities.
This is exactly my point of interest. Why do you think that this is harder?
If the usage is persecuted, I’m sorry. Otherwise, you can bypass the ban with bridges.
1 Like
Yeah, now i have been convinced that VPNs before tor are useless. What can you say about TOR->VPN->TOR scheme?
Oh, I thought it was a typo. Running tor over tor is highly discouraged and leads to unknown results (this is about plain tor over tor, without vpn). I have no idea whether it makes it better or worse if you put VPN in the middle. But it certainly will make your connection extremely sluggish.
VPN as exit actually makes some sense, mainly from the perspective of you being able to access destinations that block tor and don’t block VPNs, but you lose on anonymity. See the same article (tor + VPN in the table):
1 Like
This guide recommends it as the scheme with the best anonymity. You haven’t heard about this scheme at all?
I think they actually recommend vpn → tor → vpn:
But no, I haven’t heard of this.
1 Like
They recommend it in their “conclusion” comparison table
Idk they do that but then link to the same whonix documentation that says that this is a bad idea 
I think you should ask this on more competent forums, like whonix or tor.
1 Like
yeah, i will do that. Also, isn’t whonix discourages only plain tor-tor usage and there is no information about tor-vpn-tor on their website?
No, their documentation says that both vpn as entrance and vpn as exit harm anonymity. Tor’s documentation says that tor over tor is uncharted territory, and it is risky to go there. All this makes me generally suspicious of tor → vpn → tor for no particular reason.
1 Like
Oh, i forgot to tell this. I also found tor-vpn-tor usage from this guys post about rate my opsec. No one there said that its a bad idea