Tor vs VPN: which should you use?
Comparing the two anonymous browsing heavyweights to decide which is best
Picking the right service to keep your data out of the hands of hackers and spies can be overwhelming. A VPN will improve your privacy dramatically, but the prices might be a little off-putting. If you’ve started researching free alternatives, you’ve probably come across the Tor project.
Both Tor and VPNs have their own use case, but they’re difficult to compare at face value. I’ve put together a comparison to help you understand how Tor differs from a VPN, how they both work, and which one is better for everyday use.
By the end you'll have a clearer understanding of which option suits your needs best.
Tor VS VPN: the basics
Let's start with a quick refresher of what a VPN is. A VPN, or Virtual Private Network, allows you to establish an encrypted virtual network over the Internet. VPN providers create an encrypted tunnel between your computer and their servers and direct all your traffic through it when you’re browsing the Internet. This has several advantages over using an unencrypted Internet connection.
Firstly, the encrypted tunnel between your device and the VPN server ensures that nobody can snoop on your traffic along the way. This is very useful if you’re concerned about your internet service provider (ISP) recording your Internet traffic, but it also has the added benefit of making sure nobody can spy on you if you connect to insecure networks like public Wi-Fi. VPNs also enable you to connect to servers almost anywhere on the globe, granting access to services that are otherwise restricted due to copyright or geographical filtering. To keep these networks up and running, VPN providers manage a network of rented and bought servers exclusively for their VPN services.
The Onion Router, or Tor, works similarly on the surface, but it’s very different under the hood. A VPN establishes a direct encrypted connection to a VPN server, while Tor routes your connection through a series of volunteer-operated nodes within the Tor network. This routing through various peers acts as a bridge between your device and the wider Internet. Along the way, each time a node redirects your traffic a layer of encryption is stripped back. This stops any individual node in the network from knowing the entire route of your traffic. This is an important aspect of Tor, as anyone can opt to become a node in the Tor network.
As there’s no way to verify who’s providing Tor nodes, there’s some risk involved with using the Tor network. If you send data through Tor, it comes out in the same state it was put in. This means that there's a possibility that the exit node you're using could intercept and record any data passing through it. Plus, hackers frequently monitor Tor exit nodes to capture useful data such as login credentials, unencrypted communications, and browsing habits. It’s not just criminals, either—intelligence agencies also regularly monitor the Tor network to try and track down fraudsters and drug dealers.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
There’s also the issue of coverage. While most VPNs tend to cover your entire network connection automatically, Tor software only covers applications that you’ve specifically configured to work through the Tor network connection.
Tor vs VPNs: day-to-day use
You might be considering Tor as your primary privacy tool, but it’s not a great idea. There’s several areas where VPNs outright beat Tor, mostly when it comes to convenience. For example, when you connect to the Tor network you’ve got limited control over where your traffic will end up. You can only choose which countries your exit nodes are in, and if there’s no exit nodes in that country you’re out of luck. In contrast, most VPN services allow you to select your endpoint location down to individual cities, enabling you to choose specific locations for unblocking services like Netflix, BBC iPlayer, and others. Larger providers host dedicated servers in almost every country on the globe, including geo-spoofed servers for countries that are otherwise hostile to hosting VPN services.
Tor exit nodes are also unreliable. Since anyone can join the Tor network at any time, there's a significant amount of low-quality traffic emanating from Tor exit nodes, including email spam, denial-of-service attacks, and malware distribution. Tor publishes a default list of all known exit nodes, making it simple for service providers to systematically block Tor access to their systems. Consequently, when you connect to the Tor network, cloud services like Cloudflare will quickly identify your connection as originating from Tor, which can in turn lead to extra Captcha checks or even being banned from certain websites depending on their policy.
On the other hand, VPN providers have an economic incentive to maintain pools of high-quality IP addresses for their users. To keep these IPs from being blacklisted, VPN providers conduct automated checks to ensure that traffic from their servers is free of malicious activity.
VPN providers also invest in high-quality servers to maintain fast and stable connections for users. Browsing on Tor is much more inconsistent since it relies on a volunteer-based infrastructure. While some universities and nonprofit organisations contribute powerful backbone servers to the Tor network, many Tor users are volunteers offering their home computer connections' processing power and bandwidth.
There's no definitive way to distinguish between a good or bad Tor node; you simply have to connect and see. As I’ve mentioned before, there's no guarantee of protection against spying when using Tor. While this is also true for low-quality VPN providers, reputable VPN providers undergo third-party audits to demonstrate their no-logs policy, providing you with a high level of assurance that your data is in safe hands.
Connecting to the Tor network could mean connecting to practically any computer on the planet. Even the Tor project recommends that you don’t send personally identifiable information through the network if you’re concerned about anonymity.
Why use Tor?
I’ve been pretty harsh on Tor so far, but it’s actually an incredibly useful tool. It’s not the fastest or the most convenient way to use the Internet, but it's built from the ground up for security and privacy. Some VPN services offer insecure and easily breakable VPN protocols like PPTP or L2TP. These protocols are only marginally better than having no encryption at all. The Tor network only uses Onion routing which, despite several attempts to break the core protocol, seems to still be resilient against deanonymization attacks.
Tor comes in a few different forms. As I’ve mentioned previously, you can download the Tor client and use it as a proxy for your network enabled software. However, the Tor project recommends you use the Tor Browser, which incorporates Tor directly into its connection protocol for internet browsing. There's no need to configure proxy settings or perform any other setup; you just launch the Tor Browser and you're connected.
There are a few security considerations, though. You shouldn’t run Javascript through the browser because it opens up a wide variety of techniques that can fingerprint your browser. You also shouldn’t run Bittorrent through the Tor network as it can stop you from being anonymous, defeating the point of using Tor.
If you want to integrate more tools into a Tor environment then there's Tails, which is the operating system companion to the Tor Browser. Tails is designed to seamlessly integrate with the Tor network without sending any data over your unencrypted default Internet connection. You can download Tails directly onto a USB stick and run it without leaving any traces on your hard drive, significantly reducing the risk of compromising your internet activities.
This "RAM-only" approach mirrors how top VPN providers can run their servers without ever storing any of your internet data by running the entire operating service in RAM.
Above everything else, Tor is free. There’s no registration required and no payments, either. If you’re worried about your finances being monitored, Tor’s a great option to create an encrypted lifeline with the outside world.
Can you use a VPN and Tor?
There’s two different ways to use Tor and VPNs together, both of which have their upsides and downsides. My recommendation is that you use "Tor over VPN", where you connect to your VPN first and then route that connection through the Tor network.
Not all VPNs allow you to route Tor data through their connection, so check your provider will first. When you run it this way, you’re effectively hiding your Tor usage from your ISP. The VPN provider also remains unaware of the data you're transmitting since it's already encrypted when it passes through the VPN connection and routed through Tor. This means that your VPN acts as the starting node for the Tor connection, concealing your home IP address from whichever Tor node you connect to.
However, this setup doesn't address the issue of your data being stripped of all encryption (except TLS) once it reaches a Tor exit node. Despite this limitation, combining Tor with a VPN can significantly enhance anonymity when accessing services within the Tor network itself.
The other option is “VPN over Tor”, where you route your VPN connection through Tor. I personally don’t think this is usually a good idea. When you route your VPN connection through Tor, you’re signalling to your ISP that you're using the Tor network. You’ll also encounter bandwidth constraints which will throttle your VPN connection, resulting in slower speeds.
The only benefit of combining a VPN with Tor is that your endpoint will be a VPN, meaning reduced security checks and access to blocked content you might not be able to access through Tor. However, the significantly slower connection speeds mean it’s hard to take advantage of this to stream or play games. You also won’t be able to access any of the Onion networks.
Additionally, while routing through Tor may obscure your VPN provider's detection of your online activities, if you don’t trust your VPN provider then you probably shouldn't be using it. It's wiser to opt for a trustworthy VPN provider from the outset, rather than attempting to obfuscate your connection by wrapping it with Tor.
Are decentralized VPNs better than Tor?
Decentralised VPNs operate on a similar principle to Tor, utilising a network of volunteer-powered nodes to anonymise your internet data as it traverses the web. However, unlike Tor, decentralised VPNs often incentivise participants to maintain high service quality by compensating their node operators. This theoretically addresses the issue of low-quality nodes affecting service reliability. However, there are several drawbacks to this model.
Firstly, it doesn't entirely resolve the concern of exit nodes potentially snooping on traffic. Any VPN encryption scheme has to be decrypted back into the original traffic at the exit node, meaning that you now need to trust the entire network instead of a single entity as with a VPN.
Secondly, while there's an economic incentive for providing high-quality service, there's no guarantee of achieving the same speeds as with professionally run VPN services. VPN providers use data centres to power their VPNs, whereas decentralised VPNs tend to be made up of home computer connections contributing to the network.
It’s also questionable how much of an incentive receiving payment really is. So far, all of the decentralised VPN projects I’ve seen trade in their own cryptocurrency tokens instead of an established cryptocurrency like Bitcoin. The value of these tokens may fluctuate and companies may fold, rendering these accrued tokens worthless. I'm sceptical about the future of decentralised VPNs, as they seem to encompass the worst of all worlds.
If you’re looking to stay anonymous online, in my opinion there’s only two options: investing in a premium VPN service offering guaranteed long-term service quality or adopting a highly privacy-conscious approach using free and open-source software…like Tor.
Tor isn’t built to be a one-size-fits-all privacy tool. It’s intended for a few very specific use cases, most of which involve evading monitoring by government entities and law enforcement. It’s a double edged sword: a completely free service which anyone can use and abuse at will, enabling journalists to research and disseminate otherwise life-threatening news while simultaneously propping up a shady underworld of illicit services.
VPNs are far more useful for everyday use, but you’re potentially trusting your VPN provider with your payment details, your home IP, and your browsing data. If you don’t trust your VPN provider to keep your data secret, or you’re worried about your payment being traced, you might be better off using Tor.
Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.