What is “Onion over VPN”? Tor explained

If you’re looking for a way to protect your privacy online, you’ll probably have heard of the Tor network, and maybe you already use a Virtual Private Network (VPN). Some VPNs try to sell users an advanced feature called “Onion over VPN,” which simply means using a VPN before you access Tor. The idea that a VPN service has some specific technology for this is just a gimmick: unless a VPN service refuses connections to Tor, any VPN can be used in an Onion over VPN setup.

If you’re using or curious about Tor or VPNs, you’re looking for privacy and anonymity in what you do online. Both are online privacy tools, but they are by no means the same thing. Tor is a decentralized network providing a sophisticated privacy service: it encrypts user traffic through its unique “onion” protocol before routing it through multiple volunteer servers around the world. VPNs alternatively route user traffic through their company servers before accessing the web (how many servers a VPN uses depends, but the traditional model is one). So why use the two together, and what would that do from a user’s perspective?

One of the big current issues with Tor is that its network has been subject to attacks, blacklisting, and censorship. This is partially because of an unjustified association of Tor exclusively with illicit traffic, but most often it is to block its ability to make users anonymous online. As a result, accessing the public web via the Tor network might prohibit users from connecting with websites and services they need but which block it. In some cases, an Internet Service Provider (ISP) might prohibit Tor access altogether for an entire country.

As we will see, Onion over VPN is one method of solving these prohibitions against using the Tor network for privacy. By first connecting to a VPN before Tor, certain Tor restrictions on Tor use can be bypassed on the client side, but as we will see, this will not affect Tor blacklists on the server side.

Given the privacy powers of new decentralized VPNs (dVPNs), this is now an unnecessary configuration. To see how dVPNs can simplify and improve online privacy for users, we need to first understand what Tor is, the internet access restrictions we might encounter while using it, and how to choose the best VPN architecture for the privacy we need.

Here you can find a full comparison about Tor and other services.

The Tor network: Onion explained

Tor is a decentralized network launched in 2002. Its name (short for “The onion router”) comes from its novel way of encrypting and decrypting user traffic as it passes through a multi-hop network of volunteer operator servers or relays.

Onion encryption

Data encryption is a cryptographic process of encoding a data packet so that only a designated sender and recipient have the access keys to view its contents. If third parties intercept and try to decipher the data in transit, it would be virtually unreadable.

Before transiting through the Tor network, user data is encrypted three times on the user’s device, forming distinct encryption layers around it like an onion (not counting the additional encryption likely provided end-to-end by the web recipient). Each layer has a specific key which corresponds to a decryption key possessed by a particular Tor node (or server relay) on the Tor network. At the inner core of the titular onion is your data: this will only be made available in the clear to the intended recipient on the public web once all the layers of encryption are removed in leaving the Tor network.

Multi-hop routing

The Tor network uses a multi-hop routing architecture to transmit user traffic before forwarding it to its final destination. This involves three steps: an entry node, intermediary node, and exit node which connects with the public web. As data passes through a particular node determined by the outermost layer of encryption, that node with the decryption key removes its designated layer, revealing only where to send the data packet next. The process repeats until the data leaves the exit node and arrives at the intended destination on the public web.

Who are Tor servers?

Tor relies upon volunteers to run independent servers which route user data through the network. This has the benefit of ensuring a decentralized network, but also has certain drawbacks. A peer-to-peer (P2P) network is a similar architecture, though Tor is not technically P2P.

Purposes of using Tor

By using the Tor network, user traffic is made more private and difficult to trace, while also giving users access to anonymous service providers. Here are some privacy benefits of Tor in summary:

• Layered-encryption. Onion encryption can provide significant security for your data in transit against attempts to access the contents of what you’re doing or sending.
• Decentralized routing. Multi-hop routing makes data tracking significantly more difficult than single-server VPN services, and miles above direct access to the public web via its default encryption protocols.
• Access to Tor sites. Tor also gives users access to unique .onion sites which can only be accessed through the Tor network. These sites provide privacy for certain services (research, email, purchases, etc.), while the Tor network is about client privacy across the public web.

What is Onion over VPN?

What is called “Onion over VPN” is really just the combination of two different tools: a VPN service which encrypts and routes user data before accessing the Tor (or Onion) network. The primary purpose of this configuration is to access the Tor network if it is blocked on the client side. But it does nothing if Tor is blocked on the server side. So let’s figure out how these work together.

Virtual Private Networks (VPNs)

A VPN is a privacy tool which routes user traffic through a service provider’s own server(s). Like with Tor, your data is encrypted on your device, but with a traditional VPN only one layer of encryption is used. Once encrypted, your traffic is tunneled to the VPN server. There your IP address is replaced with the company’s own public address before your traffic is finally sent to its destination on the web. When the recipient sees the origin of the traffic, it will appear to come from the VPN and not you.

Traditional single-server VPNs can do a lot to make you anonymous in what you do online, but they have structural vulnerabilities which put user data at risk. However, there are now different architectures for VPNs: dVPNs significantly increase the privacy of users over traditional single-server VPNs.

Onion over VPN

“Onion over VPN” does not refer to a special type of VPN, and the Tor network is not a VPN service. Onion over VPN simply means that you’re using a VPN before you access the Tor network. So all of your traffic first passes through a proxy server (which likely centralizes its data) before being routed in the above away through Tor’s multi-hop network of nodes and onion encryption procedures. The “onion” system can be said then to “cover over” the original VPN connection, because the public web will see the traffic coming from Tor and not a VPN.

Why use Onion over VPN?

The primary reason to use a VPN before accessing Tor is to bypass ISPs and other networks that block or blacklist Tor access. If the country you’re living in wants to stop you from anonymizing your life online via Tor, a VPN activated before can help get around it. Onion over VPN, however, does not prevent web services from denying you access when using Tor, since they will see Tor’s public IP address as the exit node of your traffic.

Another idea is that an Onion over VPN setup will provide an additional privacy layer on top of that which is already provided by Tor. Technically, this is true: it is another unlinkable hop and encryption layer. However, Tor privacy is already very robust (3-hops, 3-layers of encryption). And, as we will see, an Onion over VPN can lead to significant performance issues.

Pros and cons of Onion over VPN

Here are the possible benefits of an Onion over VPN setup that might interest you, as well as their noteworthy downsides regarding performance.

Pros

• Tor network entry cover. When connecting with Tor, the first entry node can see your IP address. By using an Onion over VPN setup, the entry node will see the VPN IP address instead.
• Bypassing Tor restrictions. When using Onion over Tor, your ISP will see you’re using a VPN, but not that you’re using Tor. If your ISP blocks or censors Tor access, you might be able to bypass this restriction. If a local network (like a school or work network) blocks Tor, the VPN might get around this.
• VPN in the dark. Since your VPN will be connected only with the first Tor entry node, the VPN will not know the sites you visit or your activity while there. This is because your traffic will be multi-hopped through an intermediary and exit node on the Tor network before accessing the public web. Browser choice. An Onion over VPN can allow users to have higher privacy for sensitive traffic on the Tor browser, while switching to a normal browser for non-critical tasks without turning off the VPN’s general protections.

Cons

• Speed. Onion over VPN can cause a noticeable drop in connection speeds. Tor traffic can already have increased latency (since it is layer-encrypted and multi-hop). Adding an additional encryption stage and server relay can significantly exacerbate this problem.
• Tor blocking. Websites and apps can still see you’re using the Tor network and might report or block you. This is because the Tor exit node is the final and visible server before data is received on the public web. Many services and websites can block Tor IP addresses which are public.
• Most VPNs know your IP address. The very fact that you’re using a VPN means that the service will see your IP address and can link it to your connection with the Tor network, even if your traffic will be further obscured once on Tor. Nonetheless, centralized logging is a primary means for the data tracking of users across networks.

Double VPN vs Onion over VPN

We’ve recently explained the idea behind a Double VPN, which basically just means either: a 2-hop VPN service, or the process of using two different VPNs services at the same time. Like Onion over VPN, this just beefs up user privacy while likely slowing things down.

Similarities

• Latency. Double VPN and Onion over VPN can result in significantly slower connection speeds.
• Encryption. Both setups encrypt your web traffic more than once.
• IP address obfuscation. Onion over VPN will hide your IP address from the Tor entry node. Double VPN will hide your IP address from the second VPN server, and if accessing Tor, will hide both your IP address and that of VPN server 1 from Tor entry node.

Differences

• Software. Onion over VPN utilizes two types of anonymity software: VPN software and the Tor network (which can be accessed by clients with the Tor browser). Double VPN only uses VPN software, which centralizes your risk.
• Encryption. Onion over VPN encrypts your data four times (once with the VPN and three times with Tor), while Double VPN only encrypts it twice.
• Protocol compatibility. Double VPN supports both the UDP and TCP protocol, while onion over VPN only supports the TCP protocol.
• Tor specific access. You cannot access .onion websites with a Double VPN alone since you won’t be connected to the Tor network. Onion over VPN supports access to these sites because Tor is accessed after the VPN hop.

Verdict on Onion over VPN

The key thing to keep in mind is an Onion over VPN setup simply combines two different things: a VPN and the Tor network. It is not a meaningful VPN product you can purchase.

Tor is a decentralized overlay network and not a specific product. For most people, the Tor browser or email client are accessible, client-side tools to the Tor network. The Tor browser can specifically add extra protections while accessing the Tor network, such as cookie clearing and avoiding device fingerprinting that normal browsers make data tracking susceptible to. Some operating systems can even be configured to run all user traffic through Tor.

Using a traditional VPN service will always be a risk because they generally single-server routing architectures. All your data will pass through one spot. This is the real structural vulnerability for users concerned about the privacy of their activities online. All it takes is one cyber attack, data breach, or government demand for traffic logs to reveal the metadata records of client activities.

Thankfully, new advances in decentralized VPN technology can provide users looking to protect their online data are now available, avoiding the complicated two-part setup of an Onion over VPN.

Decentralized mixnets for privacy

If you are looking for robust privacy in a VPN service that is similar to the multi-hop and onion encryption provided by Tor, but which isn’t subject to the same kinds of limitations, NymVPN has you covered. There is no need to even combine a VPN with the Tor network, since NymVPN is built on a similar decentralized design with even more robust privacy protections through its novel mixnet.

NymVPN can even be customized to your privacy needs while also optimizing speed when needed:

• For general privacy protection, a fast 2-hop dVPN powered through WireGuard offers robust protection exceeding other traditional and dVPNs on the market
• And an unparalleled 5-hop mixnet mode can be chosen for specifically sensitive traffic, like communications and crypto transactions.

If you’re concerned about your online privacy and security, join Nym in making these a default options for everyone worldwide.