In September 2024, German law enforcement publicly confirmed they had deanonymized a Tor user in a criminal case using traffic timing analysis — specifically, by watching which Tor guard nodes the suspect's ISP traffic was connecting to. The attack was ISP-level cooperation, not a Tor network compromise. A VPN before Tor would have blocked that exact correlation point.
That's the clearest real-world case yet for routing VPN traffic before Tor. But adding a VPN introduces a new party to trust — and most guides skip over how to evaluate that party correctly.
What you need to know:
- The 2024 German case confirmed ISP-level timing analysis is operational, not theoretical. Law enforcement monitored guard node connections at the ISP level to identify a Tor user over time.
- VPN before Tor blocks this: your ISP sees encrypted VPN traffic, not Tor guard node connections. The correlation point disappears.
- Order matters — VPN → Tor, not Tor → VPN. Reverse order exposes your Tor exit traffic to the VPN provider.
- Your VPN provider will know you're using Tor but not what you're doing on Tor. Use a provider with a court-tested, no-logs record — not just an audited one.
- This doesn't solve everything. Timing analysis remains theoretically possible at upstream network layers. User error (logging into identified accounts, sharing identifying information) de-anonymizes you regardless of configuration.
I've tested both VPN-before-Tor and Tor-alone configurations across different threat scenarios. The right setup depends on what you're protecting against.
How Tor Works and Where the ISP Can See You
Tor routes your traffic through three relays: a guard node (entry), a middle relay, and an exit node. Each relay knows only the preceding and following hop — not the full circuit. This is the anonymity guarantee.
The problem: your ISP can see that you're connecting to a Tor guard node. They don't know what you're doing inside Tor, but they can see the connection timing and destination. In the German case, law enforcement used that ISP-level visibility, combined with monitoring of long-running guard nodes, to run a timing correlation attack over an extended period. The suspect had used the same persistent Tor guard node for long enough that statistical correlation became possible.
This isn't a new attack class. Academic researchers have described timing correlation attacks on Tor for years. What changed in 2024 is public confirmation that it's an active, operational law enforcement technique — not a theoretical one.
VPN Before Tor: What It Actually Does
When you connect to a VPN before opening Tor:
- Your ISP sees only encrypted VPN traffic to your VPN provider's server. No guard node connections visible.
- The Tor guard node sees the VPN server's IP address, not yours.
- Your VPN provider knows you connected and that you're using Tor, but cannot see your Tor traffic.
When a VPN sits between your device and Tor, the ISP sees only encrypted traffic to the VPN server — no guard node connection to observe, so the timing correlation has nothing to measure.
What the VPN doesn't fix:
- Exit node exposure for non-HTTPS traffic (use HTTPS-only destinations)
- Timing analysis at upstream layers — a sufficiently resourced adversary monitoring both your VPN provider and Tor exit nodes could still attempt correlation, though this is significantly harder
- Operational security failures — logging into your real accounts, revealing identifying information, or using the same Tor session for both anonymous and identified activity
Who Should Actually Do This
If your concern is hiding Tor usage from your ISP — ISPs flag Tor traffic. Some throttle it. Some report it as part of law enforcement cooperation. VPN before Tor solves this cleanly. This is the most common and most practical reason to combine them.
If you're bypassing Tor blocks — in networks or jurisdictions where Tor is blocked, VPN before Tor often works where Tor bridges don't. It's the most reliable approach.
If you're a journalist, activist, or whistleblower — VPN before Tor with a court-tested provider is appropriate. Pair it with current Tor Browser, which has Vanguards-lite enabled by default to harden against guard discovery attacks. Operational security matters more than the technical setup.
For casual privacy users — Tor alone is sufficient unless you specifically want to hide Tor usage from your ISP. The VPN adds complexity and a new trust relationship.
Against state-level adversaries with ISP cooperation — technical tools are necessary but not sufficient. Reducing electronic footprint and limiting identifiable activity patterns matters as much as the routing configuration.
Which VPN to Use with Tor
Adding a VPN to Tor is only worthwhile if the VPN provider has demonstrated — not just claimed — that they don't log. The standard to look for: independent infrastructure audits conducted annually, and at least one real law enforcement encounter where the provider handed over nothing.
Proton VPN — Swiss jurisdiction, fourth consecutive no-logs infrastructure audit published August 2025 (Securitum). 59 legally binding data requests received in 2025; all 59 denied under Swiss law. Offers 9 dedicated Tor-over-VPN servers that route traffic automatically. €4.99/month entry.
Mullvad — Swedish jurisdiction. In April 2023, Swedish police executed a search warrant at Mullvad's offices looking for subscriber data. They left with nothing because none existed. Annual audits, accepts Monero and cash, no email required to sign up. €5/month flat. Supports VPN → Tor configuration.
Both providers are covered in more detail in Are Commercial VPNs Still Trustworthy in 2026? and the full VPN comparison.
Why "Tor Before VPN" Is Usually Wrong
The reverse configuration — Tor first, then VPN — is less common and serves a narrow use case. Your traffic exits through a Tor exit node before hitting the VPN, meaning the VPN provider sees Tor exit traffic rather than your real IP. This is mainly useful if you want your destination to see a VPN IP rather than a Tor exit IP.
The problem: you're now trusting the VPN provider with your exit traffic, which is typically the less trustworthy endpoint. Your ISP can still see that you're connecting to Tor. Most people who think they want this configuration actually want VPN → Tor.
VPN before Tor is the right call if you're concerned about ISP-level visibility into your Tor usage. The 2024 German case made that a documented threat, not a theoretical one. Pick a provider that's been tested by law enforcement and passed — not just audited — and the configuration is solid. For how this compares to running Onion over VPN using Proton VPN's dedicated servers, that's covered here.
