"Onion over VPN" means connecting to a VPN before opening Tor — so your traffic goes VPN → Tor entry node → Tor middle relay → Tor exit → destination. The practical effect: your ISP sees VPN traffic instead of Tor guard node connections, and the Tor guard node sees your VPN provider's IP instead of yours.
In September 2024, German law enforcement confirmed they had deanonymized a Tor user by running timing analysis on guard node connections at the ISP level. Onion over VPN blocks that specific attack. That's the clearest real-world argument for the configuration yet.
What you need to know:
- Onion over VPN hides Tor usage from your ISP. Your ISP sees VPN traffic, not Tor connections. This is the primary practical benefit.
- The Tor network still anonymizes your destination. The VPN provider knows you're using Tor but cannot see what you're doing on it.
- The 2024 German timing analysis case — where police deanonymized a Tor user via ISP-level guard node correlation — is exactly the attack this configuration defends against.
- Speed is the main tradeoff. Traffic routes through additional hops; expect 3–5× slower than a VPN alone, slower than Tor alone.
- For most users, Tor alone is sufficient. Onion over VPN is for users who specifically need to hide their Tor usage from their ISP or bypass Tor blocking.
I've run both configurations — Tor alone and VPN-before-Tor — across different network environments. The speed cost is real and worth knowing about before committing to it.
What Tor Alone Does and Doesn't Hide
Tor routes your traffic through three relays — guard node (entry), middle relay, exit node. Each relay knows only adjacent hops, not the full circuit. The destination site sees the exit node's IP, not yours.
What Tor hides:
- Your real IP from the destination
- Your destination from your ISP (they see Tor traffic, not where you're going)
- Content from relay operators (encrypted between hops)
What Tor doesn't hide:
- That you're using Tor — your ISP can see your IP connecting to known Tor guard nodes
- Your real IP from the first relay — the guard node knows who you are, but not what you're doing or where you're going
The 2024 German case exploited ISP-level visibility into guard node connections — combined with timing correlation over time, that was enough to identify the user despite Tor's anonymity guarantees. A VPN sitting between your ISP and Tor collapses that attack surface because the ISP never sees a guard node connection at all.
What Onion Over VPN Actually Changes
With VPN → Tor:
- ISP sees: encrypted traffic to VPN server. Tor is invisible.
- VPN provider sees: you connected, and that Tor is being used. Not what you're doing on Tor.
- Tor guard node sees: VPN server's IP. Your real IP doesn't appear.
Threat protection:
- ISP-level timing analysis on guard nodes: blocked
- ISP flagging Tor users: blocked
- Tor blocking (by network or jurisdiction): bypassed via VPN
- Compromised guard node learning your IP: blocked
What it doesn't fix:
- Exit node exposure for unencrypted traffic (use HTTPS destinations)
- Timing correlation at upstream layers (harder with VPN, not impossible)
- User-level mistakes: logging into identified accounts, sharing identifying information, or linking anonymous and identified activity in the same session
Onion Over VPN vs. Double VPN
These are different tools solving different problems.
Onion over VPN uses Tor's decentralized volunteer relay network. The middle and exit relays are run by volunteers globally — none of them know who you are or where you're going simultaneously. The anonymity property comes from the distributed, layered routing.
Double VPN (or multi-hop VPN) routes traffic through two VPN servers run by the same or different providers. Both servers are under human control and subject to legal demands. You're adding a hop, but you're still trusting a centralized service.
For anonymity against surveillance, Onion over VPN is the stronger choice. Double VPN is faster and appropriate when you want to prevent your VPN provider from knowing your real location — for example, if you're in a jurisdiction where using certain VPN services is flagged.
Which VPNs Work Well with Tor
Not all VPN providers are suitable for this configuration. You need a provider whose no-logs claim has been tested, not just certified — the VPN provider becomes aware that you're a Tor user, which is sensitive information.
Proton VPN — the most integrated option. Proton offers 9 dedicated Tor-over-VPN servers that handle the routing automatically: connect normally, and traffic is routed through Tor without opening Tor Browser separately. Swiss jurisdiction, fourth consecutive no-logs infrastructure audit published August 2025 (Securitum). 59 legal data requests denied in 2025. €4.99/month entry.
Mullvad — no dedicated Tor servers, but standard Mullvad + Tor Browser works. In 2023, Swedish police executed a warrant at Mullvad's offices and left with nothing because no user data existed. Annual audits, €5/month, accepts Monero and cash, no email required to create an account.
For a full breakdown of which providers pass the trust tests and why, see Are Commercial VPNs Still Trustworthy in 2026? The VPN comparison table covers audit status, jurisdiction, and pricing side by side.
When It's Worth the Speed Hit
Onion over VPN is slower than either service alone — traffic is routed through additional hops, and Tor's volunteer network has variable latency globally. Expect browsing to feel like early-2000s internet on a slow day.
Use it when:
- You need to hide that you're using Tor from your ISP or network
- Tor is blocked in your jurisdiction or on your network and you can't reach bridges
- You're a journalist, activist, or researcher whose Tor usage itself would be a red flag
- You need the Tor guard node to see a VPN IP rather than your real IP
Don't use it when:
- You just want general privacy or ISP protection — a VPN alone is faster and sufficient
- Streaming, video calls, or any latency-sensitive use is involved
- You're in an environment where VPN usage is also flagged — in that case, look at obfuscation tools (Shadowsocks, obfs4)
The companion piece Should You Use a VPN with Tor? covers the threat model breakdown by use case and includes the full context on the 2024 German timing analysis case.
The configuration protects against real, documented attacks. The tradeoff is speed, and the entry requirement is a VPN provider whose no-logs claim has been tested in court — not just certified by an auditor. Proton VPN and Mullvad are the two that meet that bar.
